Fortinet black logo

Configuring SSL deep inspection

Copy Link
Copy Doc ID 1947280d-c519-11ee-8c42-fa163e15d75b:759549
Download PDF

Configuring SSL deep inspection

By default, FortiSASE uses SSL certificate inspection which inspects only the header information up to the SSL/TLS layer. Certificate inspection verifies the identity of web servers by analyzing the SSL/TLS negotiations by looking at the server certificate and TLS connection parameters only. However, while certificate inspection is more straightforward and does not require installation of a CA certificate on the endpoints, it does not inspect the content or payload encrypted by SSL/TLS.

While HTTPS offers protection on the Internet by applying SSL encryption to web traffic, malicious traffic can also use SSL encryption to get around your network's normal defenses. For example, you may download a file containing a virus during an e-commerce session or receive a phishing email containing a seemingly harmless download that, when launched, creates an encrypted session to a command and control (C&C) server and downloads malware onto your computer.

Therefore, SSL deep inspection can be used to protect the infiltration described above by scanning for malicious content in your HTTPS web traffic or identifying phishing content in encrypted mail exchanges. SSL deep inspection can also defend against the exfiltration process while an infected host calls home to a C&C server or leaks company secrets over encrypted sessions.

By enabling SSL deep inspection, FortiSASE decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient. You can configure exemptions for deep inspection.

When you use deep inspection, FortiSASE serves as the intermediary to connect to the SSL server on behalf of the client. It decrypts and inspects the content to find threats and block them. The recipient is presented with a certificate issued by FortiSASE using its default or custom CA certificate, instead of the real server certificate. Since FortiClient receives the CA certificate automatically from FortiSASE and installs this to the trusted certificate store, endpoint users do not see any certificate browser warnings.

To configure SSL deep inspection:
  1. Go to Configuration > Security.
  2. Note that SSL Inspection is always enabled and cannot be disabled. By default, FortiSASE uses certificate inspection. In the SSL Inspection widget, click Customize.
  3. The SSL Inspection pane displays the SSL inspection modes that can be configured.
    1. Select Deep Inspection.
    2. Under Inspection Options select the CA Certificate (the default). You can upload your own organization’s CA certificate by selecting the dropdown list next to CA Certificate and clicking Create. Follow the steps in the Create pane to upload your own CA certificate.
  4. Click OK. After configuring the above SSL deep inspection settings, the FortiSASE Endpoint Management Service automatically deploys the CA certificate to FortiClient endpoints that FortiSASE manages.

Configuring SSL deep inspection

By default, FortiSASE uses SSL certificate inspection which inspects only the header information up to the SSL/TLS layer. Certificate inspection verifies the identity of web servers by analyzing the SSL/TLS negotiations by looking at the server certificate and TLS connection parameters only. However, while certificate inspection is more straightforward and does not require installation of a CA certificate on the endpoints, it does not inspect the content or payload encrypted by SSL/TLS.

While HTTPS offers protection on the Internet by applying SSL encryption to web traffic, malicious traffic can also use SSL encryption to get around your network's normal defenses. For example, you may download a file containing a virus during an e-commerce session or receive a phishing email containing a seemingly harmless download that, when launched, creates an encrypted session to a command and control (C&C) server and downloads malware onto your computer.

Therefore, SSL deep inspection can be used to protect the infiltration described above by scanning for malicious content in your HTTPS web traffic or identifying phishing content in encrypted mail exchanges. SSL deep inspection can also defend against the exfiltration process while an infected host calls home to a C&C server or leaks company secrets over encrypted sessions.

By enabling SSL deep inspection, FortiSASE decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient. You can configure exemptions for deep inspection.

When you use deep inspection, FortiSASE serves as the intermediary to connect to the SSL server on behalf of the client. It decrypts and inspects the content to find threats and block them. The recipient is presented with a certificate issued by FortiSASE using its default or custom CA certificate, instead of the real server certificate. Since FortiClient receives the CA certificate automatically from FortiSASE and installs this to the trusted certificate store, endpoint users do not see any certificate browser warnings.

To configure SSL deep inspection:
  1. Go to Configuration > Security.
  2. Note that SSL Inspection is always enabled and cannot be disabled. By default, FortiSASE uses certificate inspection. In the SSL Inspection widget, click Customize.
  3. The SSL Inspection pane displays the SSL inspection modes that can be configured.
    1. Select Deep Inspection.
    2. Under Inspection Options select the CA Certificate (the default). You can upload your own organization’s CA certificate by selecting the dropdown list next to CA Certificate and clicking Create. Follow the steps in the Create pane to upload your own CA certificate.
  4. Click OK. After configuring the above SSL deep inspection settings, the FortiSASE Endpoint Management Service automatically deploys the CA certificate to FortiClient endpoints that FortiSASE manages.