Chapter 15 Unified Threat Management for FortiOS 5.0 : Other Security Profiles considerations : SSL content scanning and inspection : SSL content scanning and inspection settings
  
SSL content scanning and inspection settings
If SSL content scanning and inspection is available on your FortiGate unit, you can configure SSL settings. The following table provides an overview of the options available and where to find further instruction:
 
Table 99: SSL content scanning and inspection settings  
Setting
Description
Predefined firewall services
The IMAPS, POP3S and SMTPS predefined services. You can select these services in a security policy and a DoS policy.
Protocol recognition
The TCP port numbers that the FortiGate unit inspects for HTTPS, IMAPS, POP3S, and SMTPS. Go to Policy > Policy > Proxy Options. Add or edit a Proxy Options profile, configure HTTPS, IMAPS, POP3S, SMTPS, and FTPS.
Using Proxy Options, you can also configure the FortiGate unit to perform URL filtering of HTTPS or to use SSL content scanning and inspection to decrypt HTTPS so that the FortiGate unit can also apply antivirus and DLP content inspection and DLP archiving to HTTPS. Using SSL content scanning and inspection to decrypt HTTPS also allows you to apply more web filtering and FortiGuard Web Filtering options to HTTPS.
To enable full SSL content scanning of web filtering, select Enable Deep Scanning under HTTPS in the Proxy Options profile.
Antivirus
Antivirus options including virus scanning and file filtering for HTTPS, IMAPS, POP3S, and SMTPS.
Go to AntiVirus > Profile. Add or edit a profile and configure Virus Scan for HTTPS, IMAPS, POP3S, and SMTPS.
Antivirus quarantine
Antivirus quarantine options to quarantine files in HTTPS, IMAPS, POP3S, SMTPS, and FTPS sessions.
Go to Security Profiles > AntiVirus > Quarantine. You can quarantine infected files, suspicious files, and blocked files found in HTTPS, IMAPS, POP3S, SMTPS, and FTPS sessions.
Web filtering
Web filtering options for HTTPS:
Web Content Filter
Web URL Filter
ActiveX Filter
Cookie Filter
Java Applet Filter
Web Resume Download Block
Block invalid URLs
Go to Security Profiles > Web Filter > Profile. Add or edit a web filter profile and configure web filtering for HTTPS.
FortiGuard Web Filtering
FortiGuard Web Filtering options for HTTPS:
Enable FortiGuard Web Filtering
Enable FortiGuard Web Filtering Overrides
Provide Details for Blocked HTTP 4xx and 5xx Errors
Rate Images by URL (Blocked images will be replaced with blanks)
Allow Websites When a Rating Error Occurs
Strict Blocking
Rate URLs by Domain and IP Address
Block HTTP Redirects by Rating
Go to Security Profiles > Web Filter > Profile. Add or edit a profile and configure FortiGuard Web Filtering for HTTPS.
Email filtering
Email filtering options for IMAPS, POP3S, and SMTPS:
FortiGuard Email Filtering IP Address Check, URL check, E-mail Checksum Check, and Spam Submission
IP Address BWL Check
E-mail Address BWL Check
Return S-mail DNS Check
Banned Word Check
Spam Action
Tag Location
Tag Format
Go to Security Profiles > Email Filter > Profile. Add or edit a profile and configure email filtering for IMAPS, POP3S, and SMTPS.
Data Leak Prevention
DLP for HTTPS, IMAPS, POP3S, and SMTPS. To apply DLP, follow the steps below:
Go to Security Profiles > Data Leak Prevention > Sensor, create a new DLP sensor or edit an existing one and then add any combination of the DLP advanced rules, DLP compound rules, file filters, a Regular Expressions, and file size limits to a DLP sensor.
Go to Policy > Policy > Proxy Options. Add or edit a profile and select Enable Deep Scan under HTTPS.
Go to Policy > Policy > Policy, edit the required policy, enable DLP Sensor and select the DLP sensor.
Go to Policy > Policy > Policy, edit the required policy, enable Proxy Options and select a profile that has Enable Deep Scan selected under HTTPS. Note: If no Proxy Options profile is selected, or if Enable Deep Scan is not selected within the Proxy Options profile, DLP rules cannot inspect HTTPS.
DLP archiving
DLP archiving for HTTPS, IMAPS, POP3S, and SMTPS. Add DLP Rules for the protocol to be archived.
Monitor DLP content information on the system dashboard
DLP archive information on the Log and Archive Statistics widget on the system dashboard for HTTPS, IMAPS, POP3S, and SMTPS.
Go to Policy > Policy > Proxy Options. Add or edit a profile. For each protocol you want monitored on the dashboard, enable Monitor Content Information for Dashboard.
These options display meta-information on the Statistics dashboard widget.