SSL (TLS) deep inspection on outbound traffic allows FortiGate to inspect encrypted Internet-bound traffic (outbound) and apply Security Profiles (UTM). The FortiGate acts as a Man-In-The-Middle to inspect traffic and apply the Security Profiles such as Antivirus, Web Filter and Application Control.
To configure SSL Inspection, go to Security Profiles > SSL/SSH Inspection.
Notice there are default inspection profiles created. Select custom-deep-inspection > click Edit (or just double-click).
Under Common Options > select Invalid SSL certifications: Allow > click OK.
The next step is to enable SSL Inspection in a Firewall Policy. Go to Policy & Objects > Firewall Policy > select FG_LAN_INTERNET > click Edit (or just double-click).
Under Security Profiles > select SSL Inspection: custom-deep-inspection > click OK.
Notice there's a warning near the SSL Inspection. Hover to view it.
I
tried to access https://www.cnn.com but was presented with a warning: There is a problem with this website's security certificate.
The Fortigate includes a system default SSL certificate called Fortinet_CA_SSL, which can be used for full SSL inspection. You can avoid the web browser certificate warning by downloading and installing the Fortinet_CA_SSL certificate in your machine.
To download the FortiGate SSL certificate, go to System > Certificates > select Fortinet_CA_SSL > click View Details.
Click Download > Save File.
To
install the Fortinet_CA_SSL in Internet Explorer, go to Tools > Internet Options > Content
> Certificates.
Under Trusted Root Certificate Authorities > click Import.
Run the Certificate Import Wizard > click Next.
Browse for the Fortinet_CA_SSL.cert > click Next.
Select
the default Place all certificates in the following store: Personal > click
Next.
Click Finish.
Click Yes.
Click OK.
Select the newly installed Fortinet SSL certificate > click View.
I accessed again https://www.cnn.com but this time there's no certificate error being presented.
To view FortiGate logs, go to Log & Report > Forward Traffic.
Notice the log with the Application Name: SSL.
Select the SSL log > click Details.
No comments:
Post a Comment