Please enable JavaScript.
Coggle requires JavaScript to display documents.
Day 8 - Coggle Diagram
Day 8
Outbound SSL/TLS Inspection Configuration
Outbound SSL Inspection Profile Creation
Purpose: Decrypt and inspect encrypted outbound HTTPS traffic
Modes of Inspection
Certificate Inspection – Only validates server certificates
Full (Deep) SSL Inspection – Decrypts and re-encrypts traffic for full visibility
FortiGate as SSL Proxy
Intercepts HTTPS session
Presents re-signed certificate to client
Inspects decrypted data, re-encrypts, forwards to destination
Signing Certificate
FortiGate’s Default CA (for labs)
Imported Enterprise CA (for production)
Key Concept: Clients must trust the CA used by FortiGate
Attaching SSL Inspection Profile to Firewall Policy
Purpose: Activate inspection for outbound traffic
Apply to outbound (LAN → WAN) policy
Action: Accept
Attach Deep Inspection profile
Add other security profiles (AV, Web Filter, App Control, IPS)
Inspection Flow
Client → FortiGate decrypts → inspects → re-encrypts → Internet
Logs generated for HTTPS sessions
Key Concept: Inspection profile only works when linked to a policy
Client Trust Requirements
Why Trust Is Needed
FortiGate re-signs certificates
Browsers must trust FortiGate’s CA to avoid “Untrusted” warnings
Trust Deployment Methods
Manual installation on each device (lab)
Group Policy or MDM for enterprise rollout
Maintenance
Renew CA certificates periodically
Reinstall updated CA on clients
Key Concept: Client trust is essential for seamless SSL inspection
SSL Exemptions
Purpose: Prevent decryption of sensitive or incompatible traffic
Reasons for Exemption
Privacy: Banking, healthcare, government
Technical: Certificate pinning
Performance: Exclude high-traffic trusted domains
Exemption Types
Category-based (Finance, Health)
FQDN-based (
.paypal.com,
.microsoft.com)
Certificate-based (trusted issuer)
Best Practice: Keep exemptions minimal and reviewed regularly
Troubleshooting Outbound SSL Inspection
Common Issues
Browser “Not Trusted” – CA not installed on client
HTTPS site fails – Certificate pinning or missing exemption
No AV/Web filter logs – Wrong inspection profile or policy order
Slow browsing – Heavy SSL decryption workload
Tools & Verification
Browser certificate viewer – Check issuer (FortiGate CA)
Forward traffic logs – Confirm SSL inspection applied
diag debug flow – Trace packet processing
SSL stats dashboard – Monitor inspection load
Key Concept: Most SSL issues relate to CA trust or incorrect profile linkage
Summary
FortiGate acts as a trusted decrypting proxy for outbound HTTPS traffic
To make SSL inspection successful:
Create and use a Deep Inspection profile
Attach it to outbound policies
Ensure clients trust the FortiGate CA
Apply SSL exemptions carefully
Troubleshoot using logs and certificate checks