Solved

Fortigate SSL Inspection

Posted on 2014-03-31
18
1,187 Views
Last Modified: 2015-04-14
Hi Experts,

I have a Fortigate 200B.
I want to setup a policy to block also HTTPS traffic.
When I have seen the Fortigate Video I saw on the Policy section some more settings like on my firewall.

I don´t have the option SSL7SSH INSPECTION under POLICIES.
What does it means ? Missing license ?
0
Comment
Question by:Eprs_Admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 6
18 Comments
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 39968462
There is no special license for SSL/SSH inspection ...
What OS-Version are you running? I assume you mean you want to use the webfilters for HTTPS ...
For transparent scanning, you need to have the "Scan Encrypted Connections" option selected in the security profile, and also need to have HTTPS selected as service in the firewall policy ... please do note that to the users it will look like a Man-in-the-Middle-Attack (which, in fact, it is), as the SSL certificate presented by the firewall will not match the actual site's certificate. To keep that from happening you'd need to add the firewall's CA to the trusted certificates of the clients.
0
 

Author Comment

by:Eprs_Admin
ID: 39968505
Yes I mean webfilters for https sites.
The unit is a Fortigate 200B with firmware: v4.0,build0665,130514 (MR3 Patch 14)
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 39968516
4MR3 still lists SSL scanning as "HTTPS Scanning" in the webfilter profile ... enabling that - combined with the service on the policy - should break open the SSL encryption for scanning ...
0
How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

 

Author Comment

by:Eprs_Admin
ID: 39968528
ok, inside the policy https scanning is active, see the picture.
https-scanning.JPG
0
 

Author Comment

by:Eprs_Admin
ID: 39968529
but which service you mean ? and where ?
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 39968531
The firewall policy you use to enable web filtering ... it should have both HTTP and HTTPS selected as service, otherwise HTTPS sessions will not be recognized and filtered
0
 

Author Comment

by:Eprs_Admin
ID: 39968543
the webfilter is enabled and https is enabled but I cannot block the https traffic.
From another video I ahve seen settings under the policy tab -> ssl-ssh inspection.
See the picture, it is missing in my forti.
no-ssl-ssh-inspection.JPG
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 39968559
The "SSL-Inspection" menu option is part of the 5.0 update IIRC ... I have the option on devices here running 5.0 Patch 6 ...
0
 

Author Comment

by:Eprs_Admin
ID: 39968571
Does it mean on 4.0 it is not available ?
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 39968617
Setting the option in the security policy ought to work - the option in the 5.0 just lets you add specific ports for certain types of SSL communication ...
0
 

Author Comment

by:Eprs_Admin
ID: 39968640
ok, just the settings in the policy is not enough.
It is enabled.
I can block each http site but not https.
When I block https://www.facebook.com, it is not working.
0
 

Author Comment

by:Eprs_Admin
ID: 39968849
but I found something in the manual...

Using Protocol Options, you can also configure the FortiGate unit to
perform URL filtering of HTTPS or to use SSL content scanning and
inspection to decrypt HTTPS so that the FortiGate unit can also apply
antivirus and DLP content inspection and DLP archiving to HTTPS.
Using SSL content scanning and inspection to decrypt HTTPS also
allows you to apply more web filtering and FortiGuard Web Filtering
options to HTTPS.
To enable full SSL content scanning of web filtering, select Enable
Deep Scanning
under HTTPS in the protocol options profile.

Is this the solution ?
0
 

Author Comment

by:Eprs_Admin
ID: 39993790
when I enabled the DEEP SCANNING, all connection in our office were down.
All with certificate errors.
0
 
LVL 18

Accepted Solution

by:
Garry Glendown earned 500 total points
ID: 39994628
That is to be expected - after all, by breaking open the SSL connections, you're doing a MITM attack on the communication ... so unless you have a CA certificate on the firewall that is trusted by all the clients, they will always complain about an invalid certificate ...
0
 

Author Comment

by:Eprs_Admin
ID: 39998439
ok, what I have to do on the firewall ?
0
 

Author Comment

by:Eprs_Admin
ID: 40014264
ok, what I have to do on the firewall ?
0
 

Author Comment

by:Eprs_Admin
ID: 40027345
ok, what I have to do on the firewall ?
0
 

Author Comment

by:Eprs_Admin
ID: 40046956
what to do, that I don´t break the connections and certificates ?
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CCNP Exam question 6 37
How to send commands to switch via telnet programatically 15 84
SSH setup on ASA 5505 17 122
Change subnet - effects on server 14 37
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question