How to enable SSL (Secure Sockets Layer) inspection on a FortiGate firewall

Enabling SSL (Secure Sockets Layer) inspection on a FortiGate firewall allows the device to decrypt and inspect encrypted SSL/TLS traffic for security threats. This is often done for content filtering, intrusion prevention, and malware detection in HTTPS traffic.

Here’s how to enable SSL Inspection on FortiGate via the Web GUI:

1. Log in to the FortiGate Web Interface

• Open a web browser and enter the IP address of your FortiGate device (e.g., 192.168.1.99 or the IP configured for management).
• Log in with your administrator credentials.

2. Navigate to SSL/SSH Inspection Settings

• In the left-hand menu, go to Security Profiles.
• Then, click on SSL/SSH Inspection under the Security Profiles section.

3. Create or Edit SSL Inspection Profile

• On the SSL/SSH Inspection page, you’ll see existing profiles, or you can create a new one:
  • To create a new profile: Click Create New at the top of the page.
  • To edit an existing profile: Click the edit icon next to the profile you want to modify (e.g., “deep-inspection”).

4. Configure SSL Inspection Profile

• In the profile settings, you’ll define how SSL traffic is handled:

General Settings:

• Name: Enter a name for the profile (e.g., SSL_Inspection_Profile).
• Mode: Choose the appropriate inspection mode. There are two main types:
  • Certificate Inspection: It inspects the certificate of SSL traffic without decrypting the content.
  • Deep Inspection: It decrypts and inspects the full content of SSL traffic (recommended for full inspection).

Deep SSL Inspection (Decryption) Settings:

• Intercept and Decrypt: Choose Enable to decrypt SSL traffic. This will allow the FortiGate to inspect encrypted traffic for potential threats.
• Certificate Type:
  • Choose FortiGate Certificate to use the FortiGate’s default SSL certificate.
  • Alternatively, you can upload your own certificate (if needed).
• Replace the server certificate with FortiGate certificate: This option is typically enabled when using deep inspection.

Exemptions (Optional):

• Exempt Certain Websites or Applications: You can exclude certain websites or applications from SSL inspection if required (e.g., banking sites or other critical services).

Log Settings:

• Log SSL Inspection: Enable this if you want to log SSL traffic for monitoring purposes.
• Click OK once you have configured the profile.

5. Apply SSL Inspection Profile to Policies

• After creating the profile, you need to apply it to the appropriate firewall policy to inspect SSL traffic.

To apply the SSL Inspection profile to a policy:

• Go to Policy & Objects > IPv4 Policy.
• Find the policy you want to apply SSL inspection to (e.g., LAN to WAN).
• Edit the policy by clicking on the pencil icon.
• Scroll down to the Security Profiles section.
• Enable SSL/SSH Inspection and select the SSL profile you just created from the drop-down list.
• Click OK to save the policy.

6. Configure Certificate Authority (CA) for SSL Inspection (If Using Deep Inspection)

• Since deep inspection decrypts SSL traffic, the FortiGate must present a certificate to the client (browser) as a trusted intermediary. If the FortiGate uses its default SSL certificate, clients will need to trust the FortiGate as a Certificate Authority (CA).

To install the FortiGate certificate on client devices:

• Download the FortiGate’s certificate (from System > Certificates).
• Install this certificate as a trusted root certificate on the client devices to prevent SSL warnings.

7. Test SSL Inspection

• After configuring SSL inspection, test it by accessing HTTPS websites from a client machine.
• Check for any SSL inspection-related logs by navigating to Log & Report > Traffic Log > Forward Traffic.

8. Monitor SSL Inspection

• Go to Monitor > SSL/SSH Inspection to see real-time statistics on SSL traffic being inspected by the FortiGate.

---

SSL Inspection Modes:

• Certificate Inspection: The firewall inspects only the SSL certificate (not the traffic) to check for things like certificate validity, expiration, and trust issues. This method is quicker but less thorough.
• Deep Inspection: The firewall decrypts and inspects the entire SSL traffic for threats. This method provides a deeper level of security but requires installing the FortiGate’s certificate on client devices to avoid browser warnings.

Final Notes:

• Privacy Considerations: SSL inspection can potentially expose sensitive information in the encrypted traffic, so be cautious about the data being inspected, especially with HTTPS websites that may involve sensitive data like financial transactions.
• Performance Impact: Decrypting and inspecting SSL traffic with Deep Inspection can have a performance impact, so ensure your FortiGate device has sufficient resources to handle the volume of encrypted traffic.

By following these steps, you can enable SSL inspection on your FortiGate firewall via the GUI, ensuring that your network traffic is being adequately inspected for security risks in encrypted connections.