Solved

Fortigate SSL Inspection

Posted on 2014-03-31
18
1,029 Views
Last Modified: 2015-04-14
Hi Experts,

I have a Fortigate 200B.
I want to setup a policy to block also HTTPS traffic.
When I have seen the Fortigate Video I saw on the Policy section some more settings like on my firewall.

I don´t have the option SSL7SSH INSPECTION under POLICIES.
What does it means ? Missing license ?
0
Comment
Question by:Eprs_Admin
  • 12
  • 6
18 Comments
 
LVL 17

Expert Comment

by:Garry-G
ID: 39968462
There is no special license for SSL/SSH inspection ...
What OS-Version are you running? I assume you mean you want to use the webfilters for HTTPS ...
For transparent scanning, you need to have the "Scan Encrypted Connections" option selected in the security profile, and also need to have HTTPS selected as service in the firewall policy ... please do note that to the users it will look like a Man-in-the-Middle-Attack (which, in fact, it is), as the SSL certificate presented by the firewall will not match the actual site's certificate. To keep that from happening you'd need to add the firewall's CA to the trusted certificates of the clients.
0
 

Author Comment

by:Eprs_Admin
ID: 39968505
Yes I mean webfilters for https sites.
The unit is a Fortigate 200B with firmware: v4.0,build0665,130514 (MR3 Patch 14)
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39968516
4MR3 still lists SSL scanning as "HTTPS Scanning" in the webfilter profile ... enabling that - combined with the service on the policy - should break open the SSL encryption for scanning ...
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:Eprs_Admin
ID: 39968528
ok, inside the policy https scanning is active, see the picture.
https-scanning.JPG
0
 

Author Comment

by:Eprs_Admin
ID: 39968529
but which service you mean ? and where ?
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39968531
The firewall policy you use to enable web filtering ... it should have both HTTP and HTTPS selected as service, otherwise HTTPS sessions will not be recognized and filtered
0
 

Author Comment

by:Eprs_Admin
ID: 39968543
the webfilter is enabled and https is enabled but I cannot block the https traffic.
From another video I ahve seen settings under the policy tab -> ssl-ssh inspection.
See the picture, it is missing in my forti.
no-ssl-ssh-inspection.JPG
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39968559
The "SSL-Inspection" menu option is part of the 5.0 update IIRC ... I have the option on devices here running 5.0 Patch 6 ...
0
 

Author Comment

by:Eprs_Admin
ID: 39968571
Does it mean on 4.0 it is not available ?
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39968617
Setting the option in the security policy ought to work - the option in the 5.0 just lets you add specific ports for certain types of SSL communication ...
0
 

Author Comment

by:Eprs_Admin
ID: 39968640
ok, just the settings in the policy is not enough.
It is enabled.
I can block each http site but not https.
When I block https://www.facebook.com, it is not working.
0
 

Author Comment

by:Eprs_Admin
ID: 39968849
but I found something in the manual...

Using Protocol Options, you can also configure the FortiGate unit to
perform URL filtering of HTTPS or to use SSL content scanning and
inspection to decrypt HTTPS so that the FortiGate unit can also apply
antivirus and DLP content inspection and DLP archiving to HTTPS.
Using SSL content scanning and inspection to decrypt HTTPS also
allows you to apply more web filtering and FortiGuard Web Filtering
options to HTTPS.
To enable full SSL content scanning of web filtering, select Enable
Deep Scanning
under HTTPS in the protocol options profile.

Is this the solution ?
0
 

Author Comment

by:Eprs_Admin
ID: 39993790
when I enabled the DEEP SCANNING, all connection in our office were down.
All with certificate errors.
0
 
LVL 17

Accepted Solution

by:
Garry-G earned 500 total points
ID: 39994628
That is to be expected - after all, by breaking open the SSL connections, you're doing a MITM attack on the communication ... so unless you have a CA certificate on the firewall that is trusted by all the clients, they will always complain about an invalid certificate ...
0
 

Author Comment

by:Eprs_Admin
ID: 39998439
ok, what I have to do on the firewall ?
0
 

Author Comment

by:Eprs_Admin
ID: 40014264
ok, what I have to do on the firewall ?
0
 

Author Comment

by:Eprs_Admin
ID: 40027345
ok, what I have to do on the firewall ?
0
 

Author Comment

by:Eprs_Admin
ID: 40046956
what to do, that I don´t break the connections and certificates ?
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Macbook Sierra OS OpenVPN issue 13 80
managing a small network 6 82
CISCO Smartnet agreement 5 33
cisco sg 200 trunking 4 25
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question