SSL Inspection – Certificate Inspection – Deep Inspection

SSL Inspection

Certificate inspection

FortiGate supports certificate inspection. The default configuration has a built-in certificate-inspection profile which you can use directly. When you use certificate inspection, the FortiGate only inspects the header information of the packets.

If you do not want to deep scan for privacy reasons but you want to control web site access, you can use certificateinspection.

Inspect non-standard HTTPS ports

The built-in certificate-inspection profile is read-only and only listens on port 443. If you want to make changes, you must create a new certificate inspection profile.

If you know the non-standard port that the web server uses, such as port 8443, you can add this port to the HTTPS field.

If you do not know which port is used in the HTTPS web server, you can select Inspect All Ports.

Block untrusted or allow invalid certificate

The default setting in the certificate-inspection profile is to block invalid certificates and allow untrusted certificates.

For example, the server certificate has expired but you still want to access this server until you have a new server certificate. But because certificate inspection cannot do an exemption, you have to allow the invalid certificate in your SSL profile. This means you need to create a new certificate inspection profile using the built-in read-only certificateinspection.

Deep inspection

You typically apply deep inspection to outbound policies where destinations are unknown. You can configure address and web category white lists to bypass SSL deep inspection.

Reasons for using deep inspection

While Hypertext Transfer Protocol Secure (HTTPS) offers protection on the Internet by applying Secure Sockets Layer (SSL) encryption to web traffic, encrypted traffic can be used to get around your network’s normal defenses.

For example, you might download a file containing a virus during an e-commerce session, or you might receive a phishing email containing a seemingly harmless download that, when launched, creates an encrypted session to a command and control (C&C) server and downloads malware onto your computer. Because the sessions in these attacks are encrypted, they might get past your network’s security measures.

When you use deep inspection, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient.

Deep inspection not only protects you from attacks that use HTTPS, it also protects you from other commonly-used SSL-encrypted protocols such as SMTPS, POP3S, IMAPS, and FTPS.

Browser messages when using deep inspection

When FortiGate re-encrypts the content, it uses a certificate stored on the FortiGate such as Fortinet_CA_SSL, Fortinet_CA_Untrusted, or your own CA certificate that you uploaded.

Because there is no Fortinet_CA_SSL in the browser trusted CA list, the browser displays an untrusted certificate warning when it receives a FortiGate re-signed server certificate. To stop the warning messages, trust the FortiGatetrusted CA Fortinet_CA_SSL and import it into your browser.

After importing Fortinet_CA_SSL into your browser, if you still get messages about untrusted certificate, it must be due to Fortinet_CA_Untrusted. Never import the Fortinet_CA_Untrusted certificate into your browser.

To import Fortinet_CA_SSL into your browser:

  1. On the FortiGate, go to Security Profiles > SSL/SSH Inspection and select deep-inspection.
  2. The default CA Certificate is Fortinet_CA_SSL.
  3. Select Download Certificate.
  4. On the client PC, double-click the certificate file and select Open.
  5. Select Install Certificate to launch the Certificate Import Wizard and use the wizard to install the certificate into the Trusted Root Certificate Authorities

If a security warning appears, select Yes to install the certificate.

Exempt web sites from deep inspection

If you do not want to apply deep inspection for privacy or other reasons, you can exempt the session by address, category, or white list.

If you know the address of the server you want to exempt, you can exempt that address. You can exempt specific address type including IP address, IP address range, IP subnet, FQDN, wildcard-FQDN, and geography.

If you want to exempt all bank web sites, an easy way is to exempt the Finance and Banking category which includes all finance and bank web sites identified in FortiGuard.

If you want to exempt commonly trusted web sites, you can bypass the SSL white list in the SSL/SSH profile. The white list includes common web sites trusted by FortiGuard. Simply enable Reputable Websites.

Protecting SSL Server

You typically use the FortiGate Protecting SSL Server profile as an inbound policy for clients on the Internet accessing the server on the internal side of the FortiGate.

Protecting SSL Server uses a server certificate to protect a single server.

If you do not want a client in the Internet accessing your internal server directly and you want FortiGate to simulate your real server, you can use Protecting SSL Server.

To upload a server certificate into FortiGate and use that certificate in the SSL/SSH Inspection Profile:

  1. Go to System > Certificates.
  2. Select Import > Local Certificate and upload the certificate.
  3. Go to Security Profiles > SSL/SSH Inspection and select Protecting SSL Server.

When you apply this Protecting SSL Server profile in a policy, FortiGate will send the server certificate to the client as your server does.

 

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

3 thoughts on “SSL Inspection – Certificate Inspection – Deep Inspection

  1. Chris Smith

    Could you discuss more about how SSL inspection and the CA within the Fortigate work? I see Fortinet and others suggest using the “Subordinate CA” template in MS ADCS to create a trusted cert for the Fortigate – and it is not clear why that is needed. The Fortigate seems to ship with about 16 local certificates and I’m not clear on what they are all used for. (Do I have to recreate these if I merge the Fortigate as a sub CA into my PKI?)

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.