Chapter 1 What’s New for FortiOS 5.0 : Security Features : Configuring SSL inspection for flow-based and proxy protection
  
Configuring SSL inspection for flow-based and proxy protection
FortiOS 5.0 fully supports flow-based inspection of SSL sessions. This means that HTTPS, IMAPS, POP3S, SMTPS and FTPS traffic can now be decrypted and inspected by IPS and application control and flow-based antivirus, web filtering and email filtering.
FortiOS 5.0 continues to fully support proxy inspection of SSL sessions. In FortiOS 5.0, configuring proxy SSL inspection has changed as described below.
To enable proxy or flow-based inspection of SSL sessions, you must add an SSL/SSH Inspection profile to a security policy. You can configure SSL/SSH inspection profiles to inspect HTTPS, SMTPS, POP3S, IMAPS and FTPS traffic, as well as SSH traffic. You can configure the profile to control which SSL protocols to inspect, the ports to inspect for each protocol and the certificate to use with SSL sessions.
To apply proxy virus scanning and web filtering to HTTPS, IMAPS, POP3S, SMTPS and FTPS sessions
1. Go to Policy > Policy > SSL/SSH Inspection and create or edit an SSL/SSH inspection profile.
2. Under SSL Inspection Options select the CA certificate to use for SSL sessions. You can import a new certificate or use one already imported into the FortiGate unit.
3. Under enable the SSL protocols that you want to inspect and set the ports to inspect for each protocol.
4. Configure other settings as required and select Apply to save your changes.
5. Go to Policy > Policy > Policy and create a new or edit a policy that accepts the SSL traffic to be inspected.
6. Under Security Profiles, turn on AntiVirus and Web Filter and select profiles for them.
7. Turn on SSL/SSH Inspection and select the SSL/SSH inspection profile that you configured.
8. Select OK.
To apply flow-based virus scanning and web filtering and application control to HTTPS, and POP3S sessions
This example describes adding factory default antivirus, web filtering, application control and SSL/SSL profiles to a security policy that accepts HTTPS and POP3S traffic to apply flow-based virus scanning, web filtering and application control to the HTTPS and POP3S traffic accepted by the security policy.
1. Go to Policy > Policy > Policy and create or edit a policy that accepts the HTTPS and POP3S traffic to be inspected.
2. Under Security Profiles, turn on AntiVirus and select the AV-flow profile.
3. Turn on Web Filter and select the web-filter-flow profile.
4. Turn on Application Control and select the default profile.
5. Turn on SSL/SSH Inspection and select the default profile.
6. Select OK.