FortiOS 6 – SSL/SSH inspection

SSL certificate inspection

FortiGates also supports a second type of SSL inspection, called SSL certificate inspection. When certificate inspection is used, the FortiGate only inspects the header information of the packets.

Certificate inspection is used to verify the identity of web servers and can be used to make sure that HTTPS protocol isn’t used as a workaround to access sites you have blocked using web filtering.

The only security feature that can be applied using SSL certificate inspection mode is web filtering. However, since only the packet is inspected, this method does not introduce certificate errors and can be a useful alternative to full SSL inspection when web filtering is used.

Troubleshooting

The most common problem with SSL inspection is users receiving SSL errors when the CA certificate is not trusted. This is because by default the FortiGate uses a certificate that is not trusted by the client. There are two Creating or editing an SSL/SSH Inspection profile

ways to fix this:

  1. All users must import the FortiGate’s default certificate into their client applications as a trusted certificate.
  2. Configure the FortiGate to use a certificate that is already trusted by your clients. For example, a certification signed by a CA that your clients already trust.

The first method can be more labor intensive because you have to distribute a certification to all clients. This can also be an ongoing problem as new clients are added to your network. The second method is usually less work but may require paying for a CA. Both of these methods are covered in the recipe Preventing Certificate Warnings.

If you choose to install the certificate on client applications, this can be done with greater ease in a Microsoft Active Directory domain environment by using Group Policy Objects to install the certificate on domain members. Check that the Group Policy has propagated to all computers by opening Internet Explorer on a workstation PC, opening Tools > Internet Options > Content > Certificates >Trusted Root Certification Authorities, and ensuring that the FortiGate’s certificate is present.

For corporate-owned mobile devices, MDM solutions like AirWatch, MobileIron, or Fiberlink, use Simple Certificate Enrollment Protocol (SCEP) to ease certificate enrollment.

Best practices

Because all traffic needs to be decrypted, inspected, and re-encrypted, using SSL inspection can reduce overall performance of your FortiGate. To make sure you aren’t using too many resources for SSL inspection, do the following:

  • Know your traffic – Know how much traffic is expected and what percent of the traffic is encrypted. You can also limit the number of policies that allow encrypted traffic.
  • Be selective – Use white lists or trim your policy to apply SSL inspection only where it is needed.
  • Use hardware acceleration – FortiGate models with either the CP6 or CPU processor have an SSL/TLS protocol processor for SSL content scanning and SSL acceleration. For more information about this, see the Hardware Acceleration handbook.
  • Test real-world SSL inspection performance yourself – Use the flexibility of FortiGate’s security policy to gradually deploy SSL inspection, rather than enabling it all at once.

Creating or editing an SSL/SSH Inspection profile

  1. Go to Security Profiles > SSL/SSH Inspection. This will open to one of the existing profiles. Your FortiGate unit has two pre-configured SSL/SSH Inspection profiles that cannot be edited: certificate-inspection and deepinspection. You must clone and edit the pre-configured profiles or create a new profile to exempt any additional sites or FortiGuard categories. The links for the actions are located in the upper right hand corner of the window.
    • To view a list of the existing profiles select the List icon (a page) at the far right.
    • To clone an existing profile, select the Clone icon (one page behind another), second from the right l To create a new profile, select the Create New icon (“+ “symbol), third from the right.
    • To view or edit an existing profile, choose it from the dropdown menu field.
  2. Name Field:

Give the profile an easily identifiable name that references its intent.

Creating or editing an SSL/SSH Inspection profile

  1. Comments Field:

Enter any additional information that might be needed by administrators, as a reminder of the profile’s purpose and scope.

  1. SSL Inspection Options:
  2. Enable SSL Inspection of:
  • Multiple Clients Connecting to Multiple Servers – Use this option for generic policies where the destination is unknown.
  • Protecting SSL Server – Use this option when setting up a profile customized for a specific SSL server with a specific certificate.
  1. Inspection Method

The options here are:

l SSL Certificate Inspection – only inspects the certificate, not the contents of the traffic. l Full SSL Inspection – inspects all of the traffic.

  1. CA Certificate

Use the drop down menu to choose which one of the installed certificates to use for the inspection of the packets or click on Download Certificate.

  1. Untrusted SSL Certificates

Select an action for untrusted SSL certificates.

  1. Protocol Port Mapping / Inspect All Ports

Enable the ability to inspect all ports by checking the box. If the feature is not enabled, specify in the field next to the listed protocols, the port through which that protocols traffic will be inspected. Traffic of that protocol going through any other port will not be inspected.

  1. Exempt from SSL Inspection:

Use the dropdown menus in this section to specify any reputable websites, FortiGuard Web Categories, or addresses will be exempt from SSL inspection. l Reputable Websites – Enable this option to exempt any websites identified by FortiGuard as reputable.

  • Web Categories – By default the categories of Finance and Banking, Health and Wellness, and Personal Privacy, have been added as these are one that are most likely to have applications that will require a specific certificate. l Addresses – These can be any of the Address objects that have an interface of “Any”.
  • Log SSL exemptions – Enable this option to log all SSL exemptions
  1. SSH Inspection Options:
    1. SSH Deep Scan

Toggle to disable or enable the feature

  1. SSH Port

The available options are:

  • Any – choosing this option will search all of the traffic regardless of service or TCP/IP port for packets that conform to the SSH protocol

Secure white list database

  • Specify – choosing this option will restrict the search for SSH protocol packets to the TCP/IP port number specified in the field. This is not as comprehensive but it is easier on the performance of the firewall. Protocol Actions l Exec – Block, Log or neither. Select using check boxes. l Port-Forward – Block, Log or neither. Select using check boxes. l SSH-Shell – Block, Log or neither. Select using check boxes. l X11-Filter – Block, Log or neither. Select using check boxes.
  1. Common Options:
    1. Allow Invalid SSL Certificates

Check the box to enable the passing of traffic with invalid certificate

  1. Log SSL anomalies

Check the box to allow the Logging function to record traffic sessions containing invalid certificates

The Full SSL Inspection method is enabled by default when creating a new SSL/SSH Inspection profile. There are situations were this feature can cause issues so be sure that you would like it enabled before applying the inspection profile.

Secure white list database

You can enable a feature that gathers a list of reputable domain names that can be excluded from SSL deep inspection. This list is periodically updated and downloaded to FortiGate units through FortiGuard.

Go to Security Profiles > SSL Inspection, enable Exempt from SSL Inspection, and enable Reputable Websites.The reputable websites are rated by FortiGuard. Web Filtering.

CLI syntax:

config firewall ssl-ssh-profile edit deep-inspection set whitelist enable

end

end

This entry was posted in Administration Guides, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.