FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 24 - Security Profiles > SSL SSH Inspection > Creating or editing an SSL/SSH Inspection profile

Creating or editing an SSL/SSH Inspection profile

  1. Go to Security Profiles > SSL/SSH Inspection.
    This will open to one of the existing profiles.
    The links for the actions are located in the upper right hand corner of the window.
  • To view a list of the existing profiles select the List icon (a page) at the far right.
  • To clone an existing profile, select the Clone icon (one page behind another), second from the right
  • To create a new profile, select the Create New icon ("+ "symbol), third from the right.
  • To view or edit an existing profile, choose it from the dropdown menu field.
  1. Name Field:
    Give the profile an easily identifiable name that references its intent.
  2. Comments Field:
    Enter any additional information that might be needed by administrators, as a reminder of the profile's purpose and scope.
  3. SSL Inspection Options:
  1. Enable SSL Inspection of:
  • Multiple Clients Connecting to Multiple Servers - Use this option for generic policies where the destination is unknown.
  • Protecting SSL Server - Use this option when setting up a profile customized for a specific SSL server with a specific certificate.
  1. Inspection Method
    The options here are:
    • SSL Certificate Inspection - only inspects the certificate, not the contents of the traffic.
    • Full SSL Inspection - inspects all of the traffic.
  2. CA Certificate
    Use the drop down menu to choose which one of the installed certificates to use for the inspection of the packets or click on Download Certificate.
  3. Untrusted SSL Certificates
    Select an action for untrusted SSL certificates.
  1. Protocol Port Mapping / Inspect All Ports
    Enable the ability to inspect all ports by checking the box. If the feature is not enabled, specify in the field next to the listed protocols, the port through which that protocols traffic will be inspected. Traffic of that protocol going through any other port will not be inspected.
note icon If you select Inspect All Ports, then only the IPS engine is used for inspection.
  1. Exempt from SSL Inspection:
    Use the dropdown menus in this section to specify any reputable websites, FortiGuard Web Categories, or addresses will be exempt from SSL inspection.
    • Reputable Websites - Enable this option to exempt any websites identified by FortiGuard as reputable.
    • Web Categories - By default the categories of Health and Wellness, Personal Privacy, and Finance and Banking have been added as these are one that are most likely to have applications that will require a specific certificate.
    • Addresses - These can be any of the Address objects that have an interface of "Any".
    • Log SSL exemptions - Enable this option to log all SSL exemptions
  2. SSH Inspection Options:
  1. SSH Deep Scan
    Toggle to disable or enable the feature
  2. SSH Port
    The available options are:
  • Any - choosing this option will search all of the traffic regardless of service or TCP/IP port for packets that conform to the SSH protocol
  • Specify - choosing this option will restrict the search for SSH protocol packets to the TCP/IP port number specified in the field. This is not as comprehensive but it is easier on the performance of the firewall.
  1. Protocol Actions
  • Exec - Block, Log or neither. Select using check boxes.
  • Port-Forward - Block, Log or neither. Select using check boxes.
  • SSH-Shell - Block, Log or neither. Select using check boxes.
  • X11-Filter - Block, Log or neither. Select using check boxes.
  1. Common Options:
  1. Allow Invalid SSL Certificates
    Check the box to enable the passing of traffic with invalid certificate
  2. Log SSL anomalies
    Check the box to alow the Logging function to record traffic sessions containing invalid certificates
The Enable SSH Deep Scan feature is enabled by default when creating a new SSL/SSH Inspection profile. There are situations were this feature can cause issues so be sure that you would like it enabled before applying the inspection profile.

 

The context location for configuring the SSL/SSH Inspection in the CLI is:

   config firewall ssl-ssh-profile