
Fortigate SSL Inspection allows you to inspect HTTPS traffic in real-time, enabling you to block malware and unauthorized access to your network.
This feature is enabled by FortiOS's SSL inspection engine, which decrypts and re-encrypts SSL traffic to inspect its contents.
Fortigate SSL Inspection can be implemented in a few different ways, including using a FortiGate firewall or a FortiAnalyzer appliance.
To get started with Fortigate SSL Inspection, you'll need to configure your FortiGate firewall to allow HTTPS traffic to be inspected.
Discover more: Firewall Fortigate
What Is SSL Inspection
SSL inspection is a security feature that examines the contents of encrypted web traffic to identify potential threats.
It works by decrypting the traffic, scanning it for malware and other threats, and then re-encrypting it before allowing it to pass through the network.
SSL inspection can be configured to inspect traffic from specific sources or destinations, such as all traffic from a certain IP address or all traffic to a specific website.
The goal of SSL inspection is to provide an additional layer of security by detecting and blocking threats that might otherwise go undetected.
By decrypting the traffic, SSL inspection can identify threats that are hidden within encrypted packets, such as malware and other types of malicious code.
SSL inspection can be used to enforce security policies, such as blocking access to certain websites or applications.
For more insights, see: Fortigate Geo Blocking
Configuring SSL Inspection
To set up an SSL inspection profile, start by creating a new profile in Security Profiles > SSL/SSH Inspection. Give it a sensible name and change the CA Certificate to the one you just uploaded. This will ensure that your profile is properly configured.
You can customize exclusions, such as Microsoft.com or banking sites, to avoid inspecting certain traffic. Save the profile and then attach it to your Firewall Policy.
Here are the basic steps to create an SSL inspection profile:
- Import FortiGate CA Cert to Client Browsers
- Go to Security Profiles > SSL/SSH Inspection
- Click Create New > Select Full SSL Inspection
- Customize exclusions (e.g., Microsoft.com, banking sites)
- Save the profile
- Attach SSL Inspection profile to Firewall Policy
Create Profile
To create a profile for SSL inspection, you need to set up an SSL/SSH Inspection Profile on your FortiGate. According to the manufacturer's guide, it's recommended to do this first.
The profile should be given a sensible name, and the CA Certificate should be changed to the one you just uploaded. This can be done by going to Security Profiles > SSL/SSH Inspection > Create New.
To use the profile in your web access policy, you need to locate the policy that defines web traffic and edit it. Change the SSL Inspection to use your new profile.
Here are the steps to create a new SSL inspection profile:
- Go to Security Profiles > SSL/SSH Inspection > Create New.
- Give the policy a sensible name.
- Change the CA Certificate to the one you just uploaded.
- OK.
Remember, you can test the deployment by going to an https secure website and taking a look at the certificate, it should have been issued by your SubCA/Firewall.
Export the CA
Exporting the Fortinet_CA_SSL Certificate is a straightforward process. Once the policy has been checked and created, the certificate can be downloaded.
It's recommended to save the certificate file separately. This ensures that it's not accidentally deleted or overwritten during the configuration process.
A unique perspective: Verify Ssl Certificate Chain Openssl
Best Practices and Troubleshooting
To ensure a smooth SSL inspection experience with FortiGate, it's essential to follow some best practices.
Always install the FortiGate CA cert on endpoints, either via Group Policy Objects (GPO) or Mobile Device Management (MDM). This will prevent browser warnings and ensure secure connections.
Exclude sensitive or pinning sites, such as banking or government websites, from SSL inspection to avoid any potential issues.
Monitoring CPU and memory usage is crucial when enabling Full SSL inspection to avoid performance degradation.
Use Certificate Inspection for non-sensitive trusted traffic to maintain a balance between security and performance.
Enable deep inspection only where necessary, as it can impact performance and cause issues with certain applications.
Some common issues you might encounter with FortiGate SSL inspection include browser warnings due to an uninstalled FortiGate CA cert, broken applications that use certificate pinning or non-standard TLS, and slow performance caused by hardware offloading not being enabled or improper exclusions.
Here are some common issues you might encounter with FortiGate SSL inspection:
Deployment and Management
To deploy FortiGate CA signing certificates, you need to download a copy of the CA certificate it uses, typically called Fortigate_CA_SSL, from the management GUI.
This certificate should be saved somewhere accessible, so you can easily retrieve it later.
To ensure the certificate is properly installed, follow the wizard and select the certificate from the FortiGate. Make sure it gets put in the Trusted Root Certification Authority store!
You might like: Azure Wildcard Ssl Certificate
Testing and Rollout
Testing and Rollout is a critical phase of deployment and management. Before implementing any new security feature, it's essential to test it extensively to avoid any unanticipated problems.
To ensure a smooth rollout, it's crucial to test the firewall's performance regularly to make sure it has enough resources to handle the increased load.
Extensive testing will help you identify any potential issues and make necessary adjustments before going live. This will save you time and resources in the long run.
Regular performance checks will also help you optimize your firewall's configuration to ensure it can handle the demands of SSL Deep Inspection.
Deploy Microsoft Intune

Deploying Microsoft Intune can be a game-changer for managing your organization's devices.
You can deploy Fortigate SSL Deep Inspection Certificate with Microsoft Intune, making it easier to secure your network.
The policy can now be applied to a group of computers, streamlining your management process.
Group Policy Deployment
To deploy a FortiGate CA signing certificate via group policy, you need to download a copy of the CA certificate from the FortiGate's management GUI.
The certificate is typically named Fortigate_CA_SSL and can be found in System > Certificates.
Select the Fortigate_CA_SSL certificate and download a copy, saving it to a location where you can easily access it.
After downloading the certificate, navigate to the policy editor and follow the wizard to select the certificate from the FortiGate.
Make sure the certificate gets added to the Trusted Root Certification Authority store.
Close the policy editor and wait a couple of hours or force a domain policy refresh to complete the deployment.
For another approach, see: How to Download Pdf from Inspect Element
SSL Inspection Process
SSL inspection is a security feature that allows organizations to examine SSL traffic for malicious activity. It's a powerful tool in the fight against threats like viruses, spyware, and phishing attempts.
To enable SSL inspection, you need to configure your FortiGate firewall to act as a man-in-the-middle, intercepting encrypted traffic and inspecting its contents. This is done by selecting the custom-deep-inspection profile under Security Profiles > SSL/SSH Inspection.
The FortiGate firewall performs a deep inspection of the SSL traffic, checking it for potentially harmful content. It decrypts the traffic, inspects it, and then encrypts it again before forwarding it to the intended recipient.
The FortiGate includes a system default SSL certificate called Fortinet_CA_SSL, which can be used for full SSL inspection. This certificate can be downloaded from System > Certificates > select Fortinet_CA_SSL > click View Details.
To avoid web browser certificate warnings, you can download and install the Fortinet_CA_SSL certificate on your machine. This will allow you to access websites that use SSL encryption without seeing the warning.
Suggestion: Ssl Certificate for Azure
Here's a step-by-step guide to enabling SSL inspection on your FortiGate firewall:
- Go to Security Profiles > SSL/SSH Inspection and select the custom-deep-inspection profile.
- Under Common Options, select Invalid SSL certifications: Allow.
- Enable SSL Inspection in a Firewall Policy by going to Policy & Objects > Firewall Policy > select FG_LAN_INTERNET > click Edit.
- Select SSL Inspection: custom-deep-inspection under Security Profiles.
By following these steps, you can enable SSL inspection on your FortiGate firewall and protect your organization from threats hidden in encrypted traffic.
Preparation and Prerequisites
To increase security with SSL Deep Inspection, you need to meet certain prerequisites.
The manufacturer principle is crucial here, so make sure to act accordingly.
To ensure a smooth setup, you'll need to follow the necessary requirements.
Acting according to the manufacturer principle is essential for a secure setup.
This principle will guide you in setting up SSL Deep Inspection correctly.
Here's an interesting read: Fortigate Ipsec Vpn Setup
Key Concepts and Takeaways
SSL Inspection is crucial for modern threat visibility, allowing you to detect and prevent threats that might otherwise go undetected.
Full SSL Inspection is necessary for inspecting all content over HTTPS, not just the headers.
Certificate-based inspection is useful for trusted domains, making it easier to inspect traffic from known good sources.
Proper CA certificate deployment is key to avoiding client errors, so make sure to get it right.
Exclude sensitive services from SSL Inspection to avoid any potential issues, and monitor performance impacts to ensure everything runs smoothly.
Featured Images: pexels.com


