SSL Certificate Inspection:
use SNI, subject or SAN, only can do web filtering
When using SSL Certificate Inspection, the SSL Handshake is not interrupted, but the FortiGate reads the CN part of the certificate. This CN part, has the URL for the certificate was signed to. This way, the FortiGate has an URL to check into its categories database. But the TLS/SSL content is not read in any way
Two Local CA certificate use for SSL Inspection:
Fortinet_CA_SSL
Fortinet_CA_Untrusted
List all local certificates
show vpn certificate local
Preconfigured SSL certificate inspection profile
SSL Exemption can be added by Reputation, category or address.
SSL Decryption for Outbound traffic
Two Default SSL/SSH Inspection Profiles:
-- read-only "deep-inspection"
-- "custom-deep-inspection"
SSL Decryption for Inbound traffic
Comments
Post a Comment