SSL/SSH inspection
While the profile configuration for SSL/SSH Inspection is found in the Security Profiles section it is enabled in the firewall policy by enabling any of the security profiles. Choosing which of the SSL/SSH Inspection profiles is all that can really be done in the policy.
The reason for having this inspection as part of the policy is the wide spread use of encryption by both legitimate and malicious actors. The legitimate users of the Internet use encryption to hide their information from snooping bad guy but the bad guys use encryption to hide their malicious content from being scanned for viruses and other malicious code by security devices.
By using the correct SSL certificates, the FortiGate can open up encrypted traffic and inspect it for malicious content that would otherwise make it past the other profiles because they couldn’t read the encrypted traffic.
There are two basic types of inspection:
- Certificate inspection, which only looks at the certificate that encrypted the packets to make sure that it is a recognized and valid certificate.
- Full inspection, or deep inspection, that looks at all of the content of the packet. While more thorough, it also takes up more resources to perform.
HTTP Strict Transport Security (HSTS) Protocol
HSTS is a protocol used by Google and other web browsers to prevent man-in-the-middle attacks.
When performing deep inspection, the FortiGate intercepts the https traffic and would send its own self-signed CA certificate to the browser. If the browser is configured to use HSTS connections, it would refuse the FortiGate CA certificate since it is not on the trusted list for Google servers.
To keep the CA certificate from being refused, the HSTS settings should be cleared from the browser. Instructions for this vary between browsers.