Create a new SSL inspection and authentication policy
This section describes how to create a new SSL inspection and authentication policy. This policy type is essentially a firewall policy for policy-based policy packages.
See NGFW policy in the FortiOS Administration Guide for more information.
The SSL Inspection & Authentication policy option is visible only if the NGFW Mode is selected as Policy-based in the policy package. |
To create a new SSL inspection and authentication policy:
- If using ADOMs, ensure that you are in the correct ADOM.
- Go to Policy & Objects > Policy Packages.
- In the tree menu for the policy package in which you will be creating the new policy, select SSL Inspection & Authentication.
- Click Create New.
- Enter the following information:
Option
Description
ID
Enter a unique number as the policy ID, or use the default (0) to automatically assign a policy ID. Policy IDs can be up to a maximum of 9 digits in length.
Once a policy ID has been configured it cannot be changed.
Name
Enter a unique name for the policy. Each policy must have a unique name.
Incoming Interface
Click the field then select interfaces.
Click the remove icon to remove interfaces.
New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.
Outgoing Interface
Select outgoing interfaces in the same manner as Incoming Interface.
Source Internet Service
Enable or disable source internet service, then select services.
IPv4 Source Address
Select the IPv4 source addresses, address groups, virtual IPs, and virtual IP groups.
This option is only available when Source Internet Service is off.
IPv6 Source Address
Select the IPv6 source addresses, address groups, virtual IPs, and virtual IP groups.
This option is only available when Source Internet Service is off.
Source User
Select source users.
This option is only available when Source Internet Service is off.
Source User Group
Select source user groups.
This option is only available when Source Internet Service is off.
FSSO Groups
Select the FSSO groups added via Fortinet Single Sign-On. For more information about FSSO groups, see FSSO user groups.
Enforce ZTNA
Enable or disable ZTNA.
EMS Tag
Select the FortiClient EMS tag to match.
This option is only available if Enforce ZTNA is enabled.
Geographic IP Tag
Select the Geographic IP tag to match.
This option is only available if Enforce ZTNA is enabled.
Destination Internet Service
Turn destination internet service on or off, then select services.
IPv4 Destination Address
Select destination addresses, address groups, virtual IPs, and virtual IP groups.
This option is available when Destination Internet Service is OFF.
IPv6 Destination Address
Select destination addresses, address groups, virtual IPs, and virtual IP groups.
This option is only available when Destination Internet Service is off.
This option is available when Destination Internet Service is OFF.
Service
Select services and service groups.
This option is only available when Destination Internet Service is off.
SSL/SSH Inspection Select one of the following options for SSL/SSH Inspection:
certificate-inspection
custom-deep-inspection
deep-inspection
no-inspection
Comments
Add a description of the policy, such as its purpose, or the changes that have been made to it.
Advanced Options
Configure advanced options, see Advanced options below.
For more information on advanced options, see the FortiOS CLI Reference.
Change Note
Add a description of the changes being made to the policy. This field is required. - Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
Advanced options
Option |
Description |
Default |
---|---|---|
anti-replay |
Enable or disable anti-replay checking. |
enable |
auth-cert |
Select the HTTPS server certificate for policy authentication. |
none |
auth-path |
Enable or disable authentication-based routing. |
disable |
auth-redirect-addr |
Select the HTTP-to-HTTPS redirect address for firewall authentication. |
none |
auto-asic-offload |
Enable or disable policy traffic ASIC offloading. |
enable |
block-notification |
Enable or disable block notification. |
disable |
cgn-eif |
Enable or disable CGN endpoint independent filtering. |
disable |
cgn-eim |
Enable or disable CGN endpoint independent mapping. |
disable |
cgn-log-server-grp |
Select the NP log server group. |
none |
cgn-resource-quota |
Set the allowed number of blocks assigned to a source IP address. |
16 |
cgn-session-quota |
Set the allowed concurrent sessions available for a source IP address. |
16777215 |
custom-log-fields |
Select custom fields to append to log messages for this policy. |
none |
delay-tcp-npu-session |
Enable or disable TCP NPU session delay to guarantee packet order of 3-way handshake. |
disable |
diffserv-copy |
Enable or disable copying of the DSCP values from the original direction to the reply direction. |
disable |
diffserv-forward |
Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic. If enabled, also configure |
disable |
diffserv-reverse |
Enable or disable application of the DSCP value to the DSCP field of reverse (reply) traffic. If enabled, also configure |
disable |
diffservcode-forward |
Enter the DSCP value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111. |
000000 |
diffservcode-rev |
Enter the DSCP value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111. |
000000 |
dlp-profile |
Select an existing data leak prevention (DLP) profile. |
none |
dsri |
Enable to ignore HTTP server responses. |
disable |
dstaddr-negate |
Enable to negate the destination IP address. |
disable |
dstaddr6-negate |
Enable to negate the destination IPv6 address. |
disable |
dynamic-shaping |
Enable or disable dynamic RADIUS-defined traffic shaping. |
disable |
email-collect |
Enable or disable email collection. |
disable |
fec |
Enable or disable forward error correction (FEC) on traffic matching this policy on a FEC device. |
disable |
firewall-session-dirty |
Select how to handle sessions if the configuration of this firewall policy changes. |
check-all |
ffsso-agent-for-ntlm |
Select the FSSO agent for NTLM authentication. |
none |
geoip-anycast |
Enable or disable recognition of anycast IP addresses using the geography IP database. |
disable |
geoip-match |
Select whether to match the address based on the physical or registered location. |
physical-location |
identity-based-route |
Select the identity-based routing rule. |
none |
internet-service-negate |
Enable to negate the internet service set in the policy. |
disable |
internet-service-src-negate |
Enable to negate the source internet service set in this policy. |
disable |
internet-service6 |
Enable or disable the use of IPv6 internet services for this policy. If enabled, the destination address and service set in the policy are not used. |
disable |
internet-service6-custom |
Select a custom IPv6 internet service. |
none |
internet-service6-custom-group |
Select a custom IPv6 internet service group. |
none |
internet-service6-group |
Select an IPv6 internet service group. |
none |
internet-service6-name |
Select an IPv6 internet service. |
none |
internet-service6-negate |
Enable to negate the source IPv6 internet service set in this policy. |
disable |
internet-service6-src |
Enable or disable use of the IPv6 internet services in the source for this policy. If enabled, the source address is not used. |
disable |
internet-service6-src-custom |
Select the custom IPv6 internet service source. |
none |
internet-service6-src-custom-group |
Select the custom IPv6 source group. |
none |
internet-service6-src-group |
Select the IPv6 source group. |
none |
internet-service6-src-name |
Select the IPv6 source. |
none |
internet-service6-src-negate |
Enable to negate the value set in |
disable |
match-vip |
Enable or disable matching of packets that have had their destination address changed by a VIP. |
disable |
match-vip-only |
Enable or disable matching only those packets that have had their destination addresses change by a VIP. |
disable |
natinbound |
Enable or disable applying destination NAT to inbound traffic. |
disable |
natip |
Set the source NAT IP address for inbound traffic. |
0.0.0.0/0.0.0.0 |
natoutbound |
Enable or disable applying destination NAT to outbound traffic. |
disable |
network-service-dynamic |
Select a dynamic network service. |
none |
network-service-src-dynamic |
Select a dynamic network service source. |
none |
np-acceleration |
Enable or disable UTM network processor acceleration. |
disable |
ntlm |
Enable or disable NTLM authentication. |
disable |
ntlm-enabled-browsers |
Set the HTTP-User-Agent value of supported browsers. |
none |
ntlm-guest |
Enable or disable NTLM guest user access. |
disable |
outbound |
Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic. |
disable |
passive-wan-health-measurement |
Enable or disable passive WAN health measurement. When enabled, |
disable. |
permit-any-host |
Enable or disable accepting UDP packets from any host. |
disable |
permit-stun-host |
Enable or disable accepting UDP packets from any session traversal utilities for NAT (STUN) host. |
disable |
policy-expiry |
Enable or disable policy expiry. |
disable |
policy-expiry-date |
If policy-expiry is enabled, set the policy expiry date. |
0000-00-00,00:00:00 |
policy-offload |
Enable or disable hardware session setup for CGNAT. |
disable |
radius-mac-auth-bypass |
Enable or disable MAC authentication bypass. The bypassed MAC address must be received from the RADIUS server. |
disable |
redirect-url |
Set the URL to which users are redirected after seeing and accepting the disclaimer or authenticating. |
none |
reputation-direction |
Set the destination of the initial traffic for reputation to take effect. |
destination |
reputation-direction6 |
Set the destination of the initial traffic for IPv6 reputation to take effect. |
destination |
reputation-minimum |
Set the minimum reputation to take action. |
0 |
reputation-minimum6 |
Set the minimum IPv6 reputation to take action. |
0 |
rtp-addr |
If this is an RTP NAT policy, set the address names. |
none |
rtp-nat |
Enable or disable real time protocol (RTP) NAT. |
disable |
schedule-timeout |
Enable or disable ending current sessions when the schedule object times out. Disable allows sessions to end from inactivity. |
disable |
sctp-filter-profile |
Select an existing SCTP filter profile. |
none |
send-deny-packet |
Enable or disable sending a reply when a session is denied or blocked by a firewall policy. |
disable |
service-negate |
Enable or disable negation of the service set in the policy. |
disable |
session-ttl |
Enter a value for the session time-to-live (TTL) from 300 to 604800, or type 0 for no limitation. |
0 |
sgt |
Enter security group tags (SGT). |
none |
sgt-check |
Enable or disable SGT check. |
disable |
src-vendor-mac |
Select the vendor MAC source. |
none |
srcaddr-negate |
Enable or disable negation of the source address. |
disable |
srcaddr6-negate |
Enable or disable negation of the source IPv6 address. |
disable |
ssh-filter-profile |
Select an SSH filter profile from the drop-down list. |
None |
ssh-policy-redirect |
Enable or disable SSH policy redirect. |
disable |
tcp-mss-receiver |
Enter the receiver’s TCP maximum segment size (MSS). |
0 |
tcp-mss-sender |
Enter the sender’s TCP MSS. |
0 |
tcp-session-without-syn |
Enable or disable creation of a TCP session without the SYN flag. |
disable |
tcp-timeout-pid |
Select the TCP timeout profile. |
none |
timeout-send-rst |
Enable or disable the sending of RST packets when TCP sessions expire |
disable |
tos |
Enter the type of service (TOS) value used for comparison. |
0 |
tos-mask |
Enter the bit mask for TOS. Non-zero bit positions are used for comparison while zero bit positions are ignored. |
0 |
tos-negate |
Enable or disable to negate the TOS match. |
disable |
udp-timeout-pid |
Select the UDP timeout profile. |
none |
uuid |
Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset. |
00000000-0000- 0000-0000- 000000000000 |
vlan-cos-fwd |
Select the VLAN forward direction user priority. The available values are:
|
255 |
vlan-cos-rev |
Select the VLAN reverse direction user priority. The available values are:
|
255 |
vlan-filter |
Set VLAN filters. |
none |
wanopt |
Enable or disable WAN optimization (IPv4 only). |
disable |
wanopt-detection |
Select the WAN optimization as active, passive, or off. |
active |
wanopt-passive-opt |
Select WAN optimization passive mode options. This option decides what IP address will be used to connect server (IPv4 only). |
default |
wanopt-peer |
Select a WAN optimization peer (IPv4 only). |
none |
wanopt-profile |
Select a WAN optimization profile (IPv4 only). |
none |
webcache |
Enable or disable web cache (IPv4 only). |
disable |
webcache-https |
Enable or disable the web cache for HTTPS (IPv4 only). |
none |
webproxy-forward-server |
Select the webproxy forward server (IPv4 only). |
none |
webproxy-profile |
Select the webproxy profile (IPv4 only). |
none |