Solved

Fortigate SSL Inspection

Posted on 2014-03-31
18
1,131 Views
Last Modified: 2015-04-14
Hi Experts,

I have a Fortigate 200B.
I want to setup a policy to block also HTTPS traffic.
When I have seen the Fortigate Video I saw on the Policy section some more settings like on my firewall.

I don´t have the option SSL7SSH INSPECTION under POLICIES.
What does it means ? Missing license ?
0
Comment
Question by:Eprs_Admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 6
18 Comments
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 39968462
There is no special license for SSL/SSH inspection ...
What OS-Version are you running? I assume you mean you want to use the webfilters for HTTPS ...
For transparent scanning, you need to have the "Scan Encrypted Connections" option selected in the security profile, and also need to have HTTPS selected as service in the firewall policy ... please do note that to the users it will look like a Man-in-the-Middle-Attack (which, in fact, it is), as the SSL certificate presented by the firewall will not match the actual site's certificate. To keep that from happening you'd need to add the firewall's CA to the trusted certificates of the clients.
0
 

Author Comment

by:Eprs_Admin
ID: 39968505
Yes I mean webfilters for https sites.
The unit is a Fortigate 200B with firmware: v4.0,build0665,130514 (MR3 Patch 14)
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 39968516
4MR3 still lists SSL scanning as "HTTPS Scanning" in the webfilter profile ... enabling that - combined with the service on the policy - should break open the SSL encryption for scanning ...
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 

Author Comment

by:Eprs_Admin
ID: 39968528
ok, inside the policy https scanning is active, see the picture.
https-scanning.JPG
0
 

Author Comment

by:Eprs_Admin
ID: 39968529
but which service you mean ? and where ?
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 39968531
The firewall policy you use to enable web filtering ... it should have both HTTP and HTTPS selected as service, otherwise HTTPS sessions will not be recognized and filtered
0
 

Author Comment

by:Eprs_Admin
ID: 39968543
the webfilter is enabled and https is enabled but I cannot block the https traffic.
From another video I ahve seen settings under the policy tab -> ssl-ssh inspection.
See the picture, it is missing in my forti.
no-ssl-ssh-inspection.JPG
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 39968559
The "SSL-Inspection" menu option is part of the 5.0 update IIRC ... I have the option on devices here running 5.0 Patch 6 ...
0
 

Author Comment

by:Eprs_Admin
ID: 39968571
Does it mean on 4.0 it is not available ?
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 39968617
Setting the option in the security policy ought to work - the option in the 5.0 just lets you add specific ports for certain types of SSL communication ...
0
 

Author Comment

by:Eprs_Admin
ID: 39968640
ok, just the settings in the policy is not enough.
It is enabled.
I can block each http site but not https.
When I block https://www.facebook.com, it is not working.
0
 

Author Comment

by:Eprs_Admin
ID: 39968849
but I found something in the manual...

Using Protocol Options, you can also configure the FortiGate unit to
perform URL filtering of HTTPS or to use SSL content scanning and
inspection to decrypt HTTPS so that the FortiGate unit can also apply
antivirus and DLP content inspection and DLP archiving to HTTPS.
Using SSL content scanning and inspection to decrypt HTTPS also
allows you to apply more web filtering and FortiGuard Web Filtering
options to HTTPS.
To enable full SSL content scanning of web filtering, select Enable
Deep Scanning
under HTTPS in the protocol options profile.

Is this the solution ?
0
 

Author Comment

by:Eprs_Admin
ID: 39993790
when I enabled the DEEP SCANNING, all connection in our office were down.
All with certificate errors.
0
 
LVL 18

Accepted Solution

by:
Garry Glendown earned 500 total points
ID: 39994628
That is to be expected - after all, by breaking open the SSL connections, you're doing a MITM attack on the communication ... so unless you have a CA certificate on the firewall that is trusted by all the clients, they will always complain about an invalid certificate ...
0
 

Author Comment

by:Eprs_Admin
ID: 39998439
ok, what I have to do on the firewall ?
0
 

Author Comment

by:Eprs_Admin
ID: 40014264
ok, what I have to do on the firewall ?
0
 

Author Comment

by:Eprs_Admin
ID: 40027345
ok, what I have to do on the firewall ?
0
 

Author Comment

by:Eprs_Admin
ID: 40046956
what to do, that I don´t break the connections and certificates ?
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question