FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Muhammad_Haiqal
Article Id 198305
Description
This article describes how to implement Deep SSL inspection in the networks.
HTTPS traffic is a secured traffic between the users and the websites. Only requested users are able to see the content on the website.

Example:

1) In real life scenario:
A person sends a parcel to another person. The parcel is secured and only both of them can know the content. Delivery man only knows that these people are communicating together. The delivery man doesn't know the content of the parcel.

2) In HTTPS scenario:
A person opens www.facebook.com. FortiGate will only know that this person is opening www.facebook.com . FortiGate will not know what features the person is using on www.facebook.com.

In scenario above, delivery man or FortiGate need to do inspection so they can have full visibility on the packet or traffic transverse on the FortiGate. 
Once delivery man have the visibility, he can detain some of dangerous or illegal items (such as scissors, weapons and so on) but still sending the allowed item.
Once FortiGate have visibility on the traffic transverse between the person and www.facebook.com, FortiGate can block certain features on the facebook accurately.

Scenario:

User want to do deep inspection for segment  192.168.1.0/24 only.
Will use default security profiles.

Solution
Create an Address Object:

Go to: Policy & Objects -> Addresses

Click on 'Create New' and 'Address'


Enter the information as follow:

Apply to the Policy:

Go to: Policy & Objects -> IPv4 Policy
Click on 'Create New' button

Enter the information accordingly. Make sure the Source is “192.168.1.0/24” that was just created.



On the Security Profiles part, Enable the 'Web Filter' and 'Application Control' and select default as a profile.
On 'SSL Inspection", select 'deep-inspection'


Then, click 'OK' once finished
Move the 'DeepInspection' policy to the top

Import the certificate to the PC:


To mitigate error on the browser due to 'certificate is not trusted', 'Your connection is not private' or  similar error, follow below steps:
Go to: Security Profiles -> SSL/SSH Inspection
Double click on 'deep-inspection' profile.


Then click 'Download Certificate'


Run the certificate downloaded and click 'Install Certificate…'


Click 'Next"

Select 'Place all certificates in the following store' and click 'Browse…'



Select 'Trusted Root Certification Authorities' and click 'OK'

Click 'Next' and 'Finish'

On the Security Warning page, proceed with 'Yes'

After certificate successfully installed on the PC, the browser will not prompt for the 'Certificate is not trusted' anymore.

Contributors