question

stylus avatar image
1 Like"
stylus asked

What certificate should I use for SSL Deep Inspection?

FortiOSSSL SSH inspectionSSL-VPNCertificate
10 |600
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

·
ldhillon avatar image
2 Likes"
ldhillon answered

Hello,

When you use deep inspection, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient.

For deep inspection you would need to use a CERT that has Basic Constraints in the certificate saying CA=true.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Certificate-file-is-not-a-CA-file/ta-p/192523?externalID=FD50234

You can use the default cert provided by FGT which has the CA=true Constraints or get the cert from any Public CA if they provide so.

By using the cert provided by FGT you will get the cert warning though.

Here are few ways to prevent the cert warning while using FGT's cert

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/26402/preventing-certificate-warnings-ca-signed-certificate

cheers

10 |600
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Welcome to FortiAnswers

FortiAnswers is the space dedicated to FortiSASE and FortiOS questions and suggestions.

  • Please review the Community guidelines
  • If you are a moderator, please refer to the Moderation guidelines
  • If something in the above guidelines is unclear, please post your question to the Community Feedback space or the Moderators' space