Creating or editing an SSL/SSH Inspection profile
1. Go to Policy & Objects > Policy > SSL/SSH Inspection.
This will open to one of the existing profiles.
The links for the actions are located in the upper right hand corner of the window.
• To view a list of the exiting profiles select the List icon (a page) at the far right.
• To clone an existing profile, select the Clone icon (one page behind another), second from the right
• To create a new profile, select the Create New icon ("+ "symbol), third from the right.
• To view or edit an existing profile, choose it from the dropdown menu field.
2. Name Field:
Give the Profile an easily identifiable name that references its intent.
3. Comments Field:
Enter any additional information that might be needed by administrators, as a reminder of the profile's purpose and scope.
4. SSL Inspection Options
a. Enable SSL Inspection of:
• Multiple Clients Connecting to Multiple Servers - Use this option for generic policies where the destination is unknown.
• Protecting SSL Server - Use this option when setting up a profile customized for a specific SSL server with a specific certificate.
b. CA Certificate
Use the drop down menu to choose which one of the installed certificates to use for the inspection of the packets.
c. Inspection Method
The options here are:
• SSL Certificate Inspection - only inspects the certificate, not the contents of the traffic.
• Full SSL Inspection - inspects all of the traffic.
d. Inspect All Ports
Enable the ability to inspect all ports by checking the box. If the feature is not enabled, specify in the field next to the listed protocols, the port through which that protocols traffic will be inspected. Traffic of that protocol going through any other port will not be inspected.
5. Exempt from SSL Inspection
Use the dropdown menus in this section to specify either a FortiGuard Web Category or addresses that will be exempt from SSL inspection.
a. Web Categories
By default the categories of Health and Wellness, Personal Privacy, and Finance and Banking have been added as these are one that are most likely to have applications that will require a specific certificate.
b. Addresses
These can be any of the Address objects that have an interface of "Any".
6. SSH Inspection Options
a. SSH Deep Scan
Toggle the grey on button so that it is:
Greyed out to disable the feature
Opaque and vibrate to enable the feature
If the feature is enabled the following options will be available:
b. SSH Port
The available options are:
• Any - choosing this option will search all of the traffic regardless of service or TCP/IP port for packets that conform to the SSH protocol
• Specify - choosing this option will restrict the search for SSH protocol packets to the TCP/IP port number specified in the field. This is not as comprehensive but it is easier on the performance of the firewall.
c. Protocol Actions
• Exec - Block, Log or neither. Select using check boxes.
• Port-Forward - Block, Log or neither. Select using check boxes.
• SSH-Shell - Block, Log or neither. Select using check boxes.
• X11-Filter - Block, Log or neither. Select using check boxes.
7. Common Options
a. Allow Invalid SSL Certificates
Check the box to enable the passing of traffic with invalid certificate
b. Log Invalid Certificates
Check the box to have the Logging function record traffic sessions that contained invalid certificates
| The Enable SSH Deep Scan feature is enabled by default when creating a new SSL/SSH Inspection profile. There are situations were this feature can cause issues so be sure that you would like it enabled before applying it. |