SSL Insecption, Fortigate FIrewall

Hi

We have a Fortigate and we're seeing the need to implement SSL Inspection to be able to scan SSL traffic.
As I understand it the Fortigate would interject it's own certificate in the transaction between the client and the website too decrypt/encrypt the data on the fly to scan it.

Seeing that we can use a Self Signed Certificate from our domain CA to do accomplish scanning SSL traffic.
However we want to scan nodes/PC's/macs which is not joined in our domain and multiple browsers etc.

Is it possible to use a public/trusted CA like Comodo or Digicert to scan SSL traffic, and would you need a specific type of certificate ?


Regards.
LenblockAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
First off, the FG need to be inline for such full SSL interception and inspection.

The typical workflow is FG impersonates the recipient of the originating SSL session, then decrypts and inspects the content. It then re-encrypts the content, creates a new SSL session between itself and the recipient by impersonating the sender, and sends the content to the sender.

See this sum up useful write-up in using a custom certificate for SSL inspection
Network users can now manually import the certificate into their trusted root CA certificate store (IE and Chrome) and/or into their browsers (Firefox). Alternately, if the users are members of a Windows domain, the domain administrator can use a group policy to force them to trust the self-signed certificate the FortiGate is presenting.
http://docs.fortinet.com/uploaded/files/2041/using-a-custom-certificate-for-SSL-inspection.pdf

Henceforth, for the SSL cert needed, you need
- the client to trust this certificate to avoid certificate errors - see means to prevent it as per synchronised in FG and client machine http://cookbook.fortinet.com/preventing-certificate-warnings/
- regardless of domain or standalone client to have their cert store (personal) to have the CA in FG to be in the Trusted Root CA (including the self-signed which need to assume as the "root CA" imported)

Specially for standalone client, you may not have control over the Root CA which is why most will use the "already" trusted root CA that come with the client browser. That is to use a certificate that is already trusted by your clients. For example, a certification signed by a CA that your clients already trust.

Those such as DigiCert, GlobalSign etc - see for Microsoft the Root CA criteria (such as the cert EKU) and issuer responsibility for being one by default trusted @ https://technet.microsoft.com/en-us/library/cc751157.aspx

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LenblockAuthor Commented:
Hi

Checked with our Certificate supplier and was told that they would no let us install their intermediate certificate that would accomplish this on on our firewall,  as that certificate would let our firewall generate certificate on behalf of that CA.

Guessing no other supplier would give you their intermediate certificate, and if they did you probably shouldn't trust them.

Now looking to use a certificate signed by our domain CA, and only scan traffic for domain joined computers using the Active Diretory poll for AD computers supporting IE and Chrome.
Other devices will just get their SSL header scanned (certificate inspection)

Regards.
btanExec ConsultantCommented:
thanks for sharing. In fact, for third party CA, they can allow intermediate cert to be installed on client or target - here is online intermediate cert from Globalsign - https://support.globalsign.com/customer/portal/topics/538410-root-certificates
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

LenblockAuthor Commented:
Solved by using our own certificate
TeavanaCommented:
Did you manually install the ssl cert into the Firefox browser for all the uses?
LenblockAuthor Commented:
Hi

Yes, but it's pretty easy and the users can manage with a quick howto.
The alternative was to install a third party to Active Directory to support GPO for Firefox which we do not want to do.

Regards.
TeavanaCommented:
thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.