Fortinet black logo

User Guide

Home FortiPortal 7.2.1 User Guide
7.2.1
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.0.15
6.0.14
6.0.13
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.3.8
5.3.7
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.0
5.2.0
4.1.0

Configuring an SSL/SSH inspection profile

Configuring an SSL/SSH inspection profile

To configure an SSL/SSH inspection profile:

  1. Go to Security > Firewall Objects.

  2. Select SSL/SSH Inspection from the Security Profiles dropdown.

  3. Click Create or select an existing profile from the list and click Edit.

  4. In the form, enter the following information:

    Settings

    Guidelines

    Name

    Required. Enter a name for the profile.

    Comments

    Optionally, enter comments.

    SSL Inspection Options

    Enable SSL Inspection of

    Select one of the options and configure the following settings:

    Multiple Clients Connecting to Multiple Servers

    Settings

    Guidelines

    Inspection Method

    Select the method to use for inspection:

    • SSL Certificate Inspection

    • Full SSL Inspection

    CA Certificate

    Select the certificate to use.

    Blocked Certificate

    		Allow or Block known malicious certificates.

    Untrusted SSL Certificates

    Select the action to take when a server certificate is not issued by a trusted CA.

    • Allow

    • Block

    • Ignore

    Ignore is only available if Full SSL Inspection is selected.

    Server Certificate SNI Check

    Check the SNI in the hellp message with the CN or SAN field in the returned server certificate.

    • Enable: If mismatched, use the CN in the server certificate to do URL filtering.

    • Strict: If mismatched, close the connection.

    • Disable: Server certificate SNI check is disabled.

    Enforce SSL Cipher Compliance

    Enable or disable enforcement of SSL cipher compliance.

    This option is only available if Full SSL Inspection is selected.

    Enforce SSL Negotiation Compliance

    Enable of disable enforcement of SSL negotiation compliance.

    This option is only available if Full SSL Inspection is selected.

    RPC over HTTPS

    Enable or disable allowing remote procedure calls (RPC) over HTTPS. This protocol is used by Microsoft Exchange Servers to perform virus scanning on emails that use RPC over HTTP.

    This option is only available if Full SSL Inspection is selected.

    Protocol Port Mapping

    For each protocol, enable or disable inspection and specify the port.

    Inspect All Ports

    Enable or disable inspection of all ports.

    Exempt from SSL Inspection

    Reputable Websites

    Enable or disable exempting reputable websites from SSL inspection. This allowlist includes common web sites trusted by FortiGuard.

    This option is only available if Full SSL Inspection is selected.

    Web Categories

    Select categories of websites to exempt from SSL inspection.

    This option is only available if Full SSL Inspection is selected.

    Addresses

    Select previously defined address to exempt from SSL inspection. For more information about adding addresses, see To configure an address.

    This option is only available if Full SSL Inspection is selected.

    Log SSL Exemptions

    This option is only available if Full SSL Inspection is selected.

    SSH Inspection Options

    SSH Deep Scan

    Enable or disable SSH deep scanning, then specify the SSH port.

    Common Options

    Invalid SSL Certificates

    Select whether to Allow or Block all invalid SSL certificates, or select Custom to configure handling for each type of invalid certificate.

    Expired Certificates

    Select the action to take when the certificate is expired.

    This option is only available when Invalid SSL Certificates is set to Custom.

    Revoked Certificates

    Select the action to take when the certificate is revoked.

    This option is only available when Invalid SSL Certificates is set to Custom.

    Validation Timed-Out Certificates

    Select the action to take when the certificate validation times out.

    This option is only available when Invalid SSL Certificates is set to Custom.

    Validation Failed Certificates

    Select the action to take when the certificate validation fails.

    This option is only available when Invalid SSL Certificates is set to Custom.

    Log SSL Anomalies

    Enable or disable logging of SSL anomalies.

    Protecting SSL Server

    Settings

    Guidelines

    Server Certificate

    Select the certificate to use.

    Protocol Port Mapping

    For each protocol, enable or disable inspection and specify the port.

    Inspect All Ports

    Enable or disable inspection of all ports.

    Exempt from SSL Inspection

    Addresses

    Select previously defined address to exempt from SSL inspection. For more information about adding addresses, see To configure an address.

    This option is only available if Full SSL Inspection is selected.

    Log SSL Exemptions

    This option is only available if Full SSL Inspection is selected.

  5. lClick Save to save the profile.

Previous
Next

Configuring an SSL/SSH inspection profile

To configure an SSL/SSH inspection profile:

  1. Go to Security > Firewall Objects.

  2. Select SSL/SSH Inspection from the Security Profiles dropdown.

  3. Click Create or select an existing profile from the list and click Edit.

  4. In the form, enter the following information:

    Settings

    Guidelines

    Name

    Required. Enter a name for the profile.

    Comments

    Optionally, enter comments.

    SSL Inspection Options

    Enable SSL Inspection of

    Select one of the options and configure the following settings:

    Multiple Clients Connecting to Multiple Servers

    Settings

    Guidelines

    Inspection Method

    Select the method to use for inspection:

    • SSL Certificate Inspection

    • Full SSL Inspection

    CA Certificate

    Select the certificate to use.

    Blocked Certificate

    		Allow or Block known malicious certificates.

    Untrusted SSL Certificates

    Select the action to take when a server certificate is not issued by a trusted CA.

    • Allow

    • Block

    • Ignore

    Ignore is only available if Full SSL Inspection is selected.

    Server Certificate SNI Check

    Check the SNI in the hellp message with the CN or SAN field in the returned server certificate.

    • Enable: If mismatched, use the CN in the server certificate to do URL filtering.

    • Strict: If mismatched, close the connection.

    • Disable: Server certificate SNI check is disabled.

    Enforce SSL Cipher Compliance

    Enable or disable enforcement of SSL cipher compliance.

    This option is only available if Full SSL Inspection is selected.

    Enforce SSL Negotiation Compliance

    Enable of disable enforcement of SSL negotiation compliance.

    This option is only available if Full SSL Inspection is selected.

    RPC over HTTPS

    Enable or disable allowing remote procedure calls (RPC) over HTTPS. This protocol is used by Microsoft Exchange Servers to perform virus scanning on emails that use RPC over HTTP.

    This option is only available if Full SSL Inspection is selected.

    Protocol Port Mapping

    For each protocol, enable or disable inspection and specify the port.

    Inspect All Ports

    Enable or disable inspection of all ports.

    Exempt from SSL Inspection

    Reputable Websites

    Enable or disable exempting reputable websites from SSL inspection. This allowlist includes common web sites trusted by FortiGuard.

    This option is only available if Full SSL Inspection is selected.

    Web Categories

    Select categories of websites to exempt from SSL inspection.

    This option is only available if Full SSL Inspection is selected.

    Addresses

    Select previously defined address to exempt from SSL inspection. For more information about adding addresses, see To configure an address.

    This option is only available if Full SSL Inspection is selected.

    Log SSL Exemptions

    This option is only available if Full SSL Inspection is selected.

    SSH Inspection Options

    SSH Deep Scan

    Enable or disable SSH deep scanning, then specify the SSH port.

    Common Options

    Invalid SSL Certificates

    Select whether to Allow or Block all invalid SSL certificates, or select Custom to configure handling for each type of invalid certificate.

    Expired Certificates

    Select the action to take when the certificate is expired.

    This option is only available when Invalid SSL Certificates is set to Custom.

    Revoked Certificates

    Select the action to take when the certificate is revoked.

    This option is only available when Invalid SSL Certificates is set to Custom.

    Validation Timed-Out Certificates

    Select the action to take when the certificate validation times out.

    This option is only available when Invalid SSL Certificates is set to Custom.

    Validation Failed Certificates

    Select the action to take when the certificate validation fails.

    This option is only available when Invalid SSL Certificates is set to Custom.

    Log SSL Anomalies

    Enable or disable logging of SSL anomalies.

    Protecting SSL Server

    Settings

    Guidelines

    Server Certificate

    Select the certificate to use.

    Protocol Port Mapping

    For each protocol, enable or disable inspection and specify the port.

    Inspect All Ports

    Enable or disable inspection of all ports.

    Exempt from SSL Inspection

    Addresses

    Select previously defined address to exempt from SSL inspection. For more information about adding addresses, see To configure an address.

    This option is only available if Full SSL Inspection is selected.

    Log SSL Exemptions

    This option is only available if Full SSL Inspection is selected.

  5. lClick Save to save the profile.

Previous
Next