Description
This article explains the process of identifying application signatures that require deep inspection.
Scope
FortiGate, UTM.
Solution
Option 1:
Application control relies on a deep inspection profile for optimal functionality. However, it is worth noting that deep SSL inspection may not be essential for applications that do not require it.
Additionally, there is a banner at the top of the profile that indicates whether certain applications necessitate deep inspection.
To identify applications that require deep inspection, search for the specific application in the FortiGuard database at:
https://www.fortiguard.com/appcontrol/
In some cases, the application might use TCP ports 80 and 443, in these specific cases FortiGuard Labs link will mark the SSL Deep Inspection as NO, but the application DO need deep inspection.
By convention FortiGuard Labs team mark this application as NO when both TCP ports (80 and 443) are used by the application. So it is necessary to enable deep inspection for such applications.
The best way to confirm if an application needs or not deep inspection is checking the vendor's website. Eg. Dropbox is marked as having no deep inspection on the FortiGuard Labs link
But the Dropbox link shows that it does need deep inspection.
Link:
https://help.dropbox.com/installs/configuring-firewall
Option 2:
Alternatively, this information can also be verified under 'Application Signatures' within the Security Profiles.
Enter the signature name into the search field, and the presence of a lock icon next to the application signature will signify that deep SSL inspection is required for that signature.
Related documents:
Creating application control profiles
SSL/TLS deep inspection
Technical Tip: How to enable deep inspection and import a certificate in the browser.
