Fortigate SSL/TLS Inspection

SSL (TLS) deep inspection on outbound traffic allows FortiGate to inspect encrypted Internet-bound traffic (outbound) and apply Security Profiles (UTM). The FortiGate acts as a Man-In-The-Middle to inspect traffic and apply the Security Profiles such as Antivirus, Web Filter and Application Control.

 

To configure SSL Inspection, go to Security Profiles > SSL/SSH Inspection.

 

Notice there are default inspection profiles created. Select custom-deep-inspection > click Edit (or just double-click).

Under Common Options > select Invalid SSL certifications: Allow > click OK.

The next step is to enable SSL Inspection in a Firewall Policy. Go to Policy & Objects > Firewall Policy > select FG_LAN_INTERNET > click Edit (or just double-click).

Under Security Profiles > select SSL Inspection: custom-deep-inspection > click OK.

Notice there's a warning near the SSL Inspection. Hover to view it.

I tried to access https://www.cnn.com but was presented with a warning: There is a problem with this website's security certificate.

The Fortigate includes a system default SSL certificate called Fortinet_CA_SSL, which can be used for full SSL inspection. You can avoid the web browser certificate warning by downloading and installing the Fortinet_CA_SSL certificate in your machine.

 

To download the FortiGate SSL certificate, go to System > Certificates > select Fortinet_CA_SSL > click View Details.

 

Click Download > Save File.

To install the Fortinet_CA_SSL in Internet Explorer, go to Tools > Internet Options > Content > Certificates.

Under Trusted Root Certificate Authorities > click Import.

Run the Certificate Import Wizard > click Next.

Browse for the Fortinet_CA_SSL.cert > click Next.

Select the default Place all certificates in the following store: Personal > click Next.

Click Finish.

Click Yes.

Click OK.

Select the newly installed Fortinet SSL certificate > click View.

I accessed again https://www.cnn.com but this time there's no certificate error being presented.

To view FortiGate logs, go to Log & Report > Forward Traffic. 

Notice the log with the Application Name: SSL.

Select the SSL log > click Details.

FortiGate Logging and Antivirus Security Profile

To enable logging on the Firewall Policy, go to Policy & Objects > Firewall Policy.

 

Select FG_LAN_INTERNET > click Edit (or just double-click).

 

Under Security Profiles > enable (toggle): Antivirus, Application Control, IPS.

 

Under Logging Options > enable (toggle) Log Allow Traffic > All Sessions > click OK.

 

You can create a new profile or edit the existing Security Profiles.

To view the FortiGate traffic logs, go to Log & Report > Forward Traffic.

Select a specific log > click Details.

 

Notice the Application Name: Facebook, Category: Social Media, Security Action: Allowed and Policy ID: FG_LAN_INTERNET.

 

 

You can narrow down thesearch by clicking Add Filter.

 

In this example, I choose the Application Name: Youtube.

 

The FortiGate displayed Forward Traffic logs related only to Youtube.

The Chrome web browser has a built-in security feature, so I used Internet Explorer instead to test the Antivirus Security Profile. Go to wicar.org to download a test malware.

Notice it displayed a High Security Alert when a virus was detected.

To view Antivirus log, go to Log & Report > Antivirus. 

Select a specific Antivirus log > click Details.

 

Notice the Threat Level: Critical which has a Threat Score: 50.

 

You can also view the FortiGate top talkers in the Dashboard > FortiView.

FortiGate Captive Portal

A Captive Portal is a convenient way to authenticate web users either on wired or WiFi networks using an HTML (web) form that requires a username and password (active authentication).

 

You must first create a user group and then add a user to the group. To create a new user, go to User & Authentication > Create New.

 

Notice there's a guest user created by default.

Select Local User > Next.

Type Username: cp-user > type Password: fortinet > click Next.

Leave the Two-factor Authentication disabled > click Next.

Leave the User Account Status Enabled > leave the User Group disabled.

 

We can't create a new User Group from here since the cp-user hasn't been created and therefore not selectable yet.

 

To create a new User Group, go to User & Authentication > User Groups > Create new.

 

Notice there's Guest-group and SSO_Guest_Users created by default.

 

Type a Name: CP-GROUP-1 > select Type: Firewall > click add (+) in Members > select cp-user > click Close > OK.

To enable Captive Portal, go to Network > Interfaces > select port2 > click Edit (or just double-click). This would be the port for the incoming wired traffic.

Scroll down > enable Security Mode: Captive Portal > select Authentication portal: Local > select User access: Restricted to Groups > select User groups > CP-GROUP-1 > click Close > OK.

Enable the Captive Portal Disclaimer Message via CLI (for wired users).

FG-1 # config firewall policy

 

FG-1 (policy) # edit 1

 

FG-1 (1) # set disclaimer

enable     Enable user authentication disclaimer.

disable    Disable user authentication disclaimer.

 

FG-1 (1) # set disclaimer enable

 

FG-1 (1) # end

 

 

I tested the Captive Portal by accessing the website training.fortinet.com from 172.16.1.100 (Windows 7 VM).

 

You'll be redirected to FortiGate Authentication web page. Type the username: cp-user > type password: fortinet > click Continue.

Once login, a Firewall Disclaimer is presented. Click Yes, I agree to continue.

To view the Firewall User/Captive Portal logs, go to Log & Report > Events > User Events.

Notice the User Events for cp-user.

Select a specific log > click Details.

You can also view and Deauthenticate Firewall user under Dashboard > Users & Devices > click Firewall Users > Expand to full screen.

Select a specific User Name: cp-user > click Deauthenticate.

Click OK to continue.

Notice cp-user was cleared.

I refreshed the web browser in 172.16.1.100 (Windows 7 VM) but it required me to login again to the FortiGate Captive Portal.