Fortinet black logo

Handbook

Configuring profiles

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:342018
Download PDF

Configuring profiles

  1. Go to Security Profiles > SSL/SSH Inspection. This will open to one of the existing profiles. Your FortiGate unit has two pre-configured SSL/SSH Inspection profiles that cannot be edited: certificate-inspection and deep-inspection. You must clone and edit the pre-configured profiles or create a new profile to exempt any additional sites or FortiGuard categories. The links for the actions are located in the upper right hand corner of the window.
    • To view a list of the existing profiles select the List icon (a page) at the far right.
    • To clone an existing profile, select the Clone icon (one page behind another), second from the right
    • To create a new profile, select the Create New icon ("+ "symbol), third from the right.
    • To view or edit an existing profile, choose it from the dropdown menu field.
  2. Name Field: Give the profile an easily identifiable name that references its intent.
  3. Comments Field: Enter any additional information that might be needed by administrators, as a reminder of the profile's purpose and scope.
  4. SSL Inspection Options:
    1. Enable SSL Inspection of:
      • Multiple Clients Connecting to Multiple Servers - Use this option for generic policies where the destination is unknown.
      • Protecting SSL Server - Use this option when setting up a profile customized for a specific SSL server with a specific certificate.
    2. Inspection Method The options here are:
      • SSL Certificate Inspection - only inspects the certificate, not the contents of the traffic.
      • Full SSL Inspection - inspects all of the traffic.
    3. CA Certificate Use the drop down menu to choose which one of the installed certificates to use for the inspection of the packets or click on Download Certificate.
    4. Untrusted SSL Certificates Select an action for untrusted SSL certificates.
    5. Protocol Port Mapping / Inspect All Ports Enable the ability to inspect all ports by checking the box. If the feature is not enabled, specify in the field next to the listed protocols, the port through which that protocols traffic will be inspected. Traffic of that protocol going through any other port will not be inspected.

    note icon

    If you select Inspect All Ports, then only the IPS engine is used for inspection.

  5. Exempt from SSL Inspection: Use the dropdown menus in this section to specify any reputable websites, FortiGuard Web Categories, or addresses will be exempt from SSL inspection.
    • Reputable Websites - Enable this option to exempt any websites identified by FortiGuard as reputable.
    • Web Categories - By default the categories of Finance and Banking, Health and Wellness, and Personal Privacy, have been added as these are one that are most likely to have applications that will require a specific certificate.
    • Addresses - These can be any of the Address objects that have an interface of "Any".
    • Log SSL exemptions - Enable this option to log all SSL exemptions.
  6. SSH Inspection Options:
    1. SSH Deep Scan Toggle to disable or enable the feature
    2. SSH Port The available options are:
      • Any - choosing this option will search all of the traffic regardless of service or TCP/IP port for packets that conform to the SSH protocol
      • Specify - choosing this option will restrict the search for SSH protocol packets to the TCP/IP port number specified in the field. This is not as comprehensive but it is easier on the performance of the firewall.
    3. Protocol Actions
      • Exec - Block, Log or neither. Select using check boxes.
      • Port-Forward - Block, Log or neither. Select using check boxes.
      • SSH-Shell - Block, Log or neither. Select using check boxes.
      • X11-Filter - Block, Log or neither. Select using check boxes.
  7. Common Options:
    1. Allow Invalid SSL Certificates Check the box to enable the passing of traffic with invalid certificate.
    2. Log SSL anomalies Check the box to allow the Logging function to record traffic sessions containing invalid certificates.

    The Full SSL Inspection method is enabled by default when creating a new SSL/SSH Inspection profile. There are situations were this feature can cause issues so be sure that you would like it enabled before applying the inspection profile.

Configuring profiles

  1. Go to Security Profiles > SSL/SSH Inspection. This will open to one of the existing profiles. Your FortiGate unit has two pre-configured SSL/SSH Inspection profiles that cannot be edited: certificate-inspection and deep-inspection. You must clone and edit the pre-configured profiles or create a new profile to exempt any additional sites or FortiGuard categories. The links for the actions are located in the upper right hand corner of the window.
    • To view a list of the existing profiles select the List icon (a page) at the far right.
    • To clone an existing profile, select the Clone icon (one page behind another), second from the right
    • To create a new profile, select the Create New icon ("+ "symbol), third from the right.
    • To view or edit an existing profile, choose it from the dropdown menu field.
  2. Name Field: Give the profile an easily identifiable name that references its intent.
  3. Comments Field: Enter any additional information that might be needed by administrators, as a reminder of the profile's purpose and scope.
  4. SSL Inspection Options:
    1. Enable SSL Inspection of:
      • Multiple Clients Connecting to Multiple Servers - Use this option for generic policies where the destination is unknown.
      • Protecting SSL Server - Use this option when setting up a profile customized for a specific SSL server with a specific certificate.
    2. Inspection Method The options here are:
      • SSL Certificate Inspection - only inspects the certificate, not the contents of the traffic.
      • Full SSL Inspection - inspects all of the traffic.
    3. CA Certificate Use the drop down menu to choose which one of the installed certificates to use for the inspection of the packets or click on Download Certificate.
    4. Untrusted SSL Certificates Select an action for untrusted SSL certificates.
    5. Protocol Port Mapping / Inspect All Ports Enable the ability to inspect all ports by checking the box. If the feature is not enabled, specify in the field next to the listed protocols, the port through which that protocols traffic will be inspected. Traffic of that protocol going through any other port will not be inspected.

    note icon

    If you select Inspect All Ports, then only the IPS engine is used for inspection.

  5. Exempt from SSL Inspection: Use the dropdown menus in this section to specify any reputable websites, FortiGuard Web Categories, or addresses will be exempt from SSL inspection.
    • Reputable Websites - Enable this option to exempt any websites identified by FortiGuard as reputable.
    • Web Categories - By default the categories of Finance and Banking, Health and Wellness, and Personal Privacy, have been added as these are one that are most likely to have applications that will require a specific certificate.
    • Addresses - These can be any of the Address objects that have an interface of "Any".
    • Log SSL exemptions - Enable this option to log all SSL exemptions.
  6. SSH Inspection Options:
    1. SSH Deep Scan Toggle to disable or enable the feature
    2. SSH Port The available options are:
      • Any - choosing this option will search all of the traffic regardless of service or TCP/IP port for packets that conform to the SSH protocol
      • Specify - choosing this option will restrict the search for SSH protocol packets to the TCP/IP port number specified in the field. This is not as comprehensive but it is easier on the performance of the firewall.
    3. Protocol Actions
      • Exec - Block, Log or neither. Select using check boxes.
      • Port-Forward - Block, Log or neither. Select using check boxes.
      • SSH-Shell - Block, Log or neither. Select using check boxes.
      • X11-Filter - Block, Log or neither. Select using check boxes.
  7. Common Options:
    1. Allow Invalid SSL Certificates Check the box to enable the passing of traffic with invalid certificate.
    2. Log SSL anomalies Check the box to allow the Logging function to record traffic sessions containing invalid certificates.

    The Full SSL Inspection method is enabled by default when creating a new SSL/SSH Inspection profile. There are situations were this feature can cause issues so be sure that you would like it enabled before applying the inspection profile.