Thanks for your video, great work and I have 2 questions, 1. I disabled the deep inspection and expect from DPI, eventhough I am intermediately getting SSL fatal error received error for proxy policy 2. You uploaded the CA and Intermediate certificate to certificate authority and it show the validity of 2032 and the browser show 2022...
Hi Salman, great question. You cannot purchase an SSL certificate that can be used for deep inspection, and that is because the certificate provider (ie. say GoDaddy, Verisign, Google) will not provide an intermediate certificate (ie. a certificate that can sign other certificates) because it would eliminate the purpose for a 3rd party trusted root CA -> it gets a bit technical, but it's essentially possible from a technical standpoint, but not realistic due to how public CA's work What you can do, is use the built in Fortinet certificate, or create an intermediate certificate using an internal CA (such as using Microsoft CA, XCA, FortiAuthenticator etc.). Using an internal CA is a good approach for scalability and certificate revocation.
@@tothepointfortinet3823 thanks for the answer, so if i wants to use deep packet inspection in workgroup environment and guest laptops/phones i have to import ssl cert manually on every device.. right
@@movisajid Yes, the certificate needs to be on every device. As for whether you have to do it manually, or if there is an automatic alternative -> I haven't experienced this in a non-GPO environment. I'm sure there is a way to do it at scale, one thing that comes to mind is something like a NAC solution, but this would require some time/consideration.
@@Salmankhan-wb4xi Sort of. The FortiGate comes with an intermediate certificate that can be used for Deep Inspection -> it's automatically created and you can't for example go on the FortiGate and create more intermediate certificates to use for DPI -> if you want an application that can generate certificates (including intermediate certificates) then you could use FortiAuthenticator, or XCA, or Microsoft CA
Great tutorial...Just one question, how can I implement deep inspection for inbound traffic going to a public-facing website? We can't just instruct the public to install the fortinet CA cert everytime they have certificate warnings when accessing our public websites.
You'd have to implement SSL offloading (also called inbound deep inspection) on the fortigate. And youll need to have a 3rd party CA like GoDaddy, Verisign etc to sign the cert for you since each PC/device has trusted root CAs with certs from third party CAs preinstalled
Blockig QUIC is still the answer? It is not a Google protocol but in the meantime standardized by the IETF. The Firewall Vendors should Start to learn how to do Deep Inspektion on QUIC…
The best explanation I had found about how to configure and use SSL inspection for FG, Thanks.
Short and direct to the point.
Great Video with Clear Explanation.
Thank you for the good explanation.
Incredible explanation, thanks mate!
Great explanation, thanks.
Awesome mate, thank you😊
Great explanation!
Video is much appreciated.
Question can this work for Transparent Proxy?
Thanks for your video, great work and I have 2 questions,
1. I disabled the deep inspection and expect from DPI, eventhough I am intermediately getting SSL fatal error received error for proxy policy
2. You uploaded the CA and Intermediate certificate to certificate authority and it show the validity of 2032 and the browser show 2022...
Great work, can we buy ssl and use it for outbound deep inspection ? The user will not face any issue ?
Hi Salman, great question. You cannot purchase an SSL certificate that can be used for deep inspection, and that is because the certificate provider (ie. say GoDaddy, Verisign, Google) will not provide an intermediate certificate (ie. a certificate that can sign other certificates) because it would eliminate the purpose for a 3rd party trusted root CA -> it gets a bit technical, but it's essentially possible from a technical standpoint, but not realistic due to how public CA's work
What you can do, is use the built in Fortinet certificate, or create an intermediate certificate using an internal CA (such as using Microsoft CA, XCA, FortiAuthenticator etc.). Using an internal CA is a good approach for scalability and certificate revocation.
@@tothepointfortinet3823 thanks for the answer, so if i wants to use deep packet inspection in workgroup environment and guest laptops/phones i have to import ssl cert manually on every device.. right
@@movisajid Yes, the certificate needs to be on every device. As for whether you have to do it manually, or if there is an automatic alternative -> I haven't experienced this in a non-GPO environment. I'm sure there is a way to do it at scale, one thing that comes to mind is something like a NAC solution, but this would require some time/consideration.
@@tothepointfortinet3823 so is it intermediate certificate authority on FortiGate ?
@@Salmankhan-wb4xi Sort of. The FortiGate comes with an intermediate certificate that can be used for Deep Inspection -> it's automatically created and you can't for example go on the FortiGate and create more intermediate certificates to use for DPI -> if you want an application that can generate certificates (including intermediate certificates) then you could use FortiAuthenticator, or XCA, or Microsoft CA
Great tutorial...Just one question, how can I implement deep inspection for inbound traffic going to a public-facing website? We can't just instruct the public to install the fortinet CA cert everytime they have certificate warnings when accessing our public websites.
You'd have to implement SSL offloading (also called inbound deep inspection) on the fortigate. And youll need to have a 3rd party CA like GoDaddy, Verisign etc to sign the cert for you since each PC/device has trusted root CAs with certs from third party CAs preinstalled
Hello, can we also do full ssl with firewall policy set to flow based instead of proxy based?
Yes 👍
Hi TTPF, great video(s), I see search support as bookmark , this means that you are already on the Dark Side!
Lol!! Search support = lifesaver
감사합니다!
Blockig QUIC is still the answer? It is not a Google protocol but in the meantime standardized by the IETF. The Firewall Vendors should Start to learn how to do Deep Inspektion on QUIC…
Deep Inspection of HTTP3 over QUIC is supported in 7.2.0 and newer.