Solved

Fortigate SSL Inspection

Posted on 2014-03-31
18
1,236 Views
Last Modified: 2015-04-14
Hi Experts,

I have a Fortigate 200B.
I want to setup a policy to block also HTTPS traffic.
When I have seen the Fortigate Video I saw on the Policy section some more settings like on my firewall.

I don´t have the option SSL7SSH INSPECTION under POLICIES.
What does it means ? Missing license ?
0
Comment
Question by:Eprs_Admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 6
18 Comments
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 39968462
There is no special license for SSL/SSH inspection ...
What OS-Version are you running? I assume you mean you want to use the webfilters for HTTPS ...
For transparent scanning, you need to have the "Scan Encrypted Connections" option selected in the security profile, and also need to have HTTPS selected as service in the firewall policy ... please do note that to the users it will look like a Man-in-the-Middle-Attack (which, in fact, it is), as the SSL certificate presented by the firewall will not match the actual site's certificate. To keep that from happening you'd need to add the firewall's CA to the trusted certificates of the clients.
0
 

Author Comment

by:Eprs_Admin
ID: 39968505
Yes I mean webfilters for https sites.
The unit is a Fortigate 200B with firmware: v4.0,build0665,130514 (MR3 Patch 14)
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 39968516
4MR3 still lists SSL scanning as "HTTPS Scanning" in the webfilter profile ... enabling that - combined with the service on the policy - should break open the SSL encryption for scanning ...
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:Eprs_Admin
ID: 39968528
ok, inside the policy https scanning is active, see the picture.
https-scanning.JPG
0
 

Author Comment

by:Eprs_Admin
ID: 39968529
but which service you mean ? and where ?
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 39968531
The firewall policy you use to enable web filtering ... it should have both HTTP and HTTPS selected as service, otherwise HTTPS sessions will not be recognized and filtered
0
 

Author Comment

by:Eprs_Admin
ID: 39968543
the webfilter is enabled and https is enabled but I cannot block the https traffic.
From another video I ahve seen settings under the policy tab -> ssl-ssh inspection.
See the picture, it is missing in my forti.
no-ssl-ssh-inspection.JPG
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 39968559
The "SSL-Inspection" menu option is part of the 5.0 update IIRC ... I have the option on devices here running 5.0 Patch 6 ...
0
 

Author Comment

by:Eprs_Admin
ID: 39968571
Does it mean on 4.0 it is not available ?
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 39968617
Setting the option in the security policy ought to work - the option in the 5.0 just lets you add specific ports for certain types of SSL communication ...
0
 

Author Comment

by:Eprs_Admin
ID: 39968640
ok, just the settings in the policy is not enough.
It is enabled.
I can block each http site but not https.
When I block https://www.facebook.com, it is not working.
0
 

Author Comment

by:Eprs_Admin
ID: 39968849
but I found something in the manual...

Using Protocol Options, you can also configure the FortiGate unit to
perform URL filtering of HTTPS or to use SSL content scanning and
inspection to decrypt HTTPS so that the FortiGate unit can also apply
antivirus and DLP content inspection and DLP archiving to HTTPS.
Using SSL content scanning and inspection to decrypt HTTPS also
allows you to apply more web filtering and FortiGuard Web Filtering
options to HTTPS.
To enable full SSL content scanning of web filtering, select Enable
Deep Scanning
under HTTPS in the protocol options profile.

Is this the solution ?
0
 

Author Comment

by:Eprs_Admin
ID: 39993790
when I enabled the DEEP SCANNING, all connection in our office were down.
All with certificate errors.
0
 
LVL 18

Accepted Solution

by:
Garry Glendown earned 500 total points
ID: 39994628
That is to be expected - after all, by breaking open the SSL connections, you're doing a MITM attack on the communication ... so unless you have a CA certificate on the firewall that is trusted by all the clients, they will always complain about an invalid certificate ...
0
 

Author Comment

by:Eprs_Admin
ID: 39998439
ok, what I have to do on the firewall ?
0
 

Author Comment

by:Eprs_Admin
ID: 40014264
ok, what I have to do on the firewall ?
0
 

Author Comment

by:Eprs_Admin
ID: 40027345
ok, what I have to do on the firewall ?
0
 

Author Comment

by:Eprs_Admin
ID: 40046956
what to do, that I don´t break the connections and certificates ?
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question