Technical Support    (855) 512-4817    EMAIL US
blog-header.jpg

Our Blog

Fortigate OS SSL Deep-Scan Feature provides secure remote access

The advent of Secure Socket Layer (SSL) functionality on Fortinet Fortigate’s UTM appliance is becoming the de facto method of providing secure remote access for end users. In the latest version of Fortinet’s Fortigate OS MR 5.0.1, a new SSL/SSH inspection option has been added to include all SSL protocols. By default, this protocol status in SSL/SSH inspection will be disabled for the SSL protocols. Therefore, you will need to enable SSL/SSH inspection when this feature set is required.

Prior to the 5.0.1 software update the following parameters were either configured or optional:

1) The antivirus, web filter, and anti-spam profiles had separate protocol settings for the SSL and non-SSL protocols.

2) For HTTPS deep-scanning to be done, deep-scan needed to be enabled for HTTPS in the UTM proxy options.

With the new 5.0.1 firmware upgrade the following features are configurable:

1) The settings for the SSL protocols in the antivirus, web filter, and antis-pam profiles have been removed. Instead, the non-SSL options will apply to both the SSL and non-SSL versions of each protocol.

2) The SSL/SSH inspection options now includes an enable/disable option for each protocol. This is used to control which protocols are scanned and which SSL enabled protocols are decrypted.

To use HTTPS non-deep (SSL handshake) inspection, HTTPS needs to be enabled in the SSL/SSH inspection options. A web filter profile with https-url-scan enabled needs to be applied in the firewall policy with the SSL/SSH inspection options. The web filter profile option changes the inspection mode to non-deep scan. AV will not be performed if this option is enabled. The web filter profile option does not apply if SSL inspect-all is enabled in the SSL/SSH inspection options.

Should you have any questions or would like additional information, please contact TBNG Consulting at contact@tbngconsulting.com or at 855-512-4817.
Read More

Subscribe to Email Updates

Tags

see all