Created on 12-30-2014 01:50 PM Edited on 02-05-2024 04:38 AM By Jean-Philippe_P
Description
This article describes the steps to disable SSL/SSH inspection for a specific policy. It will also describe how to disable SSL/SSH inspection using a 'no-inspection' profile.
Scope
Solution
FortiOS 6.2 to 7.2:
- The profile named 'no-inspection' that is mentioned below, exists by default and can be used in policies
Alternatively to this profile, consider using in the firewall policies the option 'set utm-status disable'.
This will cause the policy to behave like a simple allow/deny policy, or access list. No other security can be applied.
Also, consider the exempt list for the particular websites that do not work ok with inspection enabled (some domains already included):
FortiOS 5.4 to 6.0:
- Manually create a 'no-inspection' SSL/SSH profile:
- Go to Security Profiles -> SSL/SSH inspection and select on the '+' icon to create a new SSL/SSH inspection profile.
- Disable all the port details.
- Apply the above-created profile on the required policy where it is required to disable SSL/SSH inspection.
For previous FortiOS 5.2 version (no longer supported):
- Create a separate policy for HTTPS without any security profiles applied (possible in this version).
- Use a customized SSL inspection profile, where port 443 is changed to an unused port. Traffic over that port will be inspected, so it may impact that traffic.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.