Solved

Fortigate SSL Inspection

Posted on 2014-03-31
18
933 Views
Last Modified: 2015-04-14
Hi Experts,

I have a Fortigate 200B.
I want to setup a policy to block also HTTPS traffic.
When I have seen the Fortigate Video I saw on the Policy section some more settings like on my firewall.

I don´t have the option SSL7SSH INSPECTION under POLICIES.
What does it means ? Missing license ?
0
Comment
Question by:Eprs_Admin
  • 12
  • 6
18 Comments
 
LVL 17

Expert Comment

by:Garry-G
ID: 39968462
There is no special license for SSL/SSH inspection ...
What OS-Version are you running? I assume you mean you want to use the webfilters for HTTPS ...
For transparent scanning, you need to have the "Scan Encrypted Connections" option selected in the security profile, and also need to have HTTPS selected as service in the firewall policy ... please do note that to the users it will look like a Man-in-the-Middle-Attack (which, in fact, it is), as the SSL certificate presented by the firewall will not match the actual site's certificate. To keep that from happening you'd need to add the firewall's CA to the trusted certificates of the clients.
0
 

Author Comment

by:Eprs_Admin
ID: 39968505
Yes I mean webfilters for https sites.
The unit is a Fortigate 200B with firmware: v4.0,build0665,130514 (MR3 Patch 14)
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39968516
4MR3 still lists SSL scanning as "HTTPS Scanning" in the webfilter profile ... enabling that - combined with the service on the policy - should break open the SSL encryption for scanning ...
0
 

Author Comment

by:Eprs_Admin
ID: 39968528
ok, inside the policy https scanning is active, see the picture.
https-scanning.JPG
0
 

Author Comment

by:Eprs_Admin
ID: 39968529
but which service you mean ? and where ?
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39968531
The firewall policy you use to enable web filtering ... it should have both HTTP and HTTPS selected as service, otherwise HTTPS sessions will not be recognized and filtered
0
 

Author Comment

by:Eprs_Admin
ID: 39968543
the webfilter is enabled and https is enabled but I cannot block the https traffic.
From another video I ahve seen settings under the policy tab -> ssl-ssh inspection.
See the picture, it is missing in my forti.
no-ssl-ssh-inspection.JPG
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39968559
The "SSL-Inspection" menu option is part of the 5.0 update IIRC ... I have the option on devices here running 5.0 Patch 6 ...
0
 

Author Comment

by:Eprs_Admin
ID: 39968571
Does it mean on 4.0 it is not available ?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 17

Expert Comment

by:Garry-G
ID: 39968617
Setting the option in the security policy ought to work - the option in the 5.0 just lets you add specific ports for certain types of SSL communication ...
0
 

Author Comment

by:Eprs_Admin
ID: 39968640
ok, just the settings in the policy is not enough.
It is enabled.
I can block each http site but not https.
When I block https://www.facebook.com, it is not working.
0
 

Author Comment

by:Eprs_Admin
ID: 39968849
but I found something in the manual...

Using Protocol Options, you can also configure the FortiGate unit to
perform URL filtering of HTTPS or to use SSL content scanning and
inspection to decrypt HTTPS so that the FortiGate unit can also apply
antivirus and DLP content inspection and DLP archiving to HTTPS.
Using SSL content scanning and inspection to decrypt HTTPS also
allows you to apply more web filtering and FortiGuard Web Filtering
options to HTTPS.
To enable full SSL content scanning of web filtering, select Enable
Deep Scanning
under HTTPS in the protocol options profile.

Is this the solution ?
0
 

Author Comment

by:Eprs_Admin
ID: 39993790
when I enabled the DEEP SCANNING, all connection in our office were down.
All with certificate errors.
0
 
LVL 17

Accepted Solution

by:
Garry-G earned 500 total points
ID: 39994628
That is to be expected - after all, by breaking open the SSL connections, you're doing a MITM attack on the communication ... so unless you have a CA certificate on the firewall that is trusted by all the clients, they will always complain about an invalid certificate ...
0
 

Author Comment

by:Eprs_Admin
ID: 39998439
ok, what I have to do on the firewall ?
0
 

Author Comment

by:Eprs_Admin
ID: 40014264
ok, what I have to do on the firewall ?
0
 

Author Comment

by:Eprs_Admin
ID: 40027345
ok, what I have to do on the firewall ?
0
 

Author Comment

by:Eprs_Admin
ID: 40046956
what to do, that I don´t break the connections and certificates ?
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now