firewall : ssl-ssh-profile
 
ssl-ssh-profile
Use this command to configure UTM deep inspection options profiles for firewall policies. Deep inspection options configure how UTM functionality identifies secure content protocols such as HTTPS, FTPS, and SMTPS. Client comforting options are controlled by the corresponding non-secure protocol options in firewall profile-protocol-options.
To configure the ssl-server, change client-cert-request from bypass.
Syntax
config firewall ssl-ssh-profile
edit {certificate-inspection | deep-inspection}
set caname <ca-cert_name>
set certname <cert_name>
set comment <comment_str>
set extended-utm-log {enable | disable}
set server-cert-mode {re‑sign | replace}
config {ftps | https | imaps | pop3s | smtps}
set ports <port_number_list>
set allow‑invalid‑server‑cert {enable | disable}
set client-cert-request {bypass | inspect | block}
set ssl‑ca‑list {enable | disable}
set status {certificate‑inspection | deep-inspection | disable}
set unsupported-ssl {bypass | block}
end
config ssh
set block {exec port‑forward ssh-shell x11-filter}
set inspect-all {disable | deep‑inspection}
set log {exec port‑forward ssh-shell x11-filter}
set ports <port_number_list>
set status {disable | deep‑inspection}
end
config ssl
set allow‑invalid‑server-cert {enable | disable}
set inspect-all {disable | certificate‑inspection | deep‑inspection}
set ssl‑ca‑list {enable | disable}
end
config ssl-exempt
edit <id>
set type {address | address6 | fortiguard-category}
set address {<addr> | all | none}
set address6 {<addr6> | all | none}
set fortiguard-category <cat_int>
end
end
config ssl-server
edit <table_id>
set ftps-client-cert-request {block | bypass | inspect}
set https-client-cert-request {block | bypass | inspect}
set imaps-client-cert-request {block | bypass | inspect}
set ip <ipv4_addr>
set pops3-client-cert-request {block | bypass | inspect}
set smtps-client-cert-request {block | bypass | inspect}
set ssl-other-client {block | bypass | inspect}
end
end
 
Variable
Description
Default
edit {certificate-inspection | deep-inspection}
Select the profile to edit or enter a name to create a new profile.
certificate-inspection — No deep inspection. Only the SSL handshake is inspected for the purpose of web filtering.
deep-inspection — deep inspection of SSL traffic.
 
caname <ca-cert_name>
Select the CA certificate used by SSL content scanning and inspection for establishing encrypted SSL sessions.
Fortinet_CA_SSLProxy
certname <cert_name>
Select the server certificate used by SSL inspection.
 
comment <comment_str>
Optionally enter a description of up to 63 characters of the protocol options profile.
 
extended-utm-log {enable | disable}
Enable or disable detailed UTM log messages.
disable
server-cert-mode {re‑sign | replace}
Choose whether to re-sign or replace the server certificate.