SSL content scanning and inspection
Supported FortiGate models
Setting up certificates to avoid client warnings
482
Figure 274: FortiGate SSL content scanning and inspection packet flow
Protection Profile content
4
scanning and inspection
applied (antivirus, web filtering,
spam filtering, DLP,
content archiving)
SSL decrypt/encrypt process
decrypts SSL sessions
3
using session certificate
and key
Protection profile includes
2
SSL content scanning and
inspection
Encrypted
packets
HTTPS, IMAPS, POP3S or
1
Client Starts
SMTPS encrypted packets
HTTPS, IMAPS,
accepted by firewall policy
POP3S or
SMTPS session
FortiGate models that support SSL acceleration also support SSL content scanning and
inspection. The following FortiGate models support SSL content scanning and inspection:
•
110C
•
111C
•
310B
•
602B
•
3016B
•
3600A
•
3810A
•
5005FA2
•
5001A.
FortiGate SSL content scanning and inspection intercepts the SSL keys that are passed
between clients and servers during SSL session handshakes and substitutes spoofed
keys. Two encrypted SSL sessions are set up, one between the client and the FortiGate
unit, and a second one between the FortiGate unit and the server. Inside the FortiGate unit
the packets are decrypted.
3
1
2
Decrypted
packets
Content scanning
and inspection
SSL Decrypt/
Encrypt Process
Protection
profile
3
1
2
Firewall
FortiGate Version 4.0 MR1 Administration Guide
Firewall Protection Profile
Session encrypted
5
using SSL session
certificate and key
Encrypted
3
1
2
packets
HTTPS, IMAPS,
6
Encrypted packets
POP3S, or
forwarded to destination
SMTPS Server
01-410-89802-20090903
http://docs.fortinet.com/
•
Feedback