Description
Prior to v4.0, SSL content scanning was only applicable to HTTPS WEB filtering by looking in the CN field of the SSL certificate. FortiOS 4.0 performs full AV/webfilter/spamfilter scan of HTTPs, IMAPs, POP3s, SMTPs with new SSL proxy.
- FortiOS v3.0: only HTTPs webfiltering, based on clear text info (certificate CN).
- FortiOS v4.0: Full AV/webfilter/spamfilter scan offor HTTPs, IMAPs, POP3s, SMTPs with new SSL proxy.
Solution
Secure Sockets Layer
- SSL server authentication - allows a user to confirm a server's identity. During the SSL handshake, the server sends the client a certificate to authenticate itself. The client uses the certificate to authenticate the identity the certificate claims to represent.
- SSL client authentication (optional) - allows a server to confirm a client's identity. HTTPS Client Authentication requires the client to possess a Public Key Certificate (PKC). If you specify client authentication, the web server will authenticate the client using the client’s public key certificate.
- Encrypted communication.
- Only available on CP6 powered Fortigates.
- Inserts before application proxies (HTTP, SMTP, …).
- Creates spoofed server certificates on the fly.
- Bypassed if client authenticates.
SSL proxy configuration - GUI
See also SSL Global Settings
Antivirus global settings
conf antivirus service imaps
conf antivirus service pop3s
conf antivirus service smtps
config antivirus filepattern
edit "zip"
set filter-type type
set file-type zip
set active imap smtp pop3 http ftp im nntp imaps smtps pop3s https
next
end
Related Articles
Technical Note: FortiGate HTTPS web URL filtering and HTTPS FortiGuard web filtering