SSL content scanning and inspection Firewall Protection Profile
FortiGate Version 4.0 MR1 Administration Guide
482 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Figure 274: FortiGate SSL content scanning and inspection packet flow
Supported FortiGate models
FortiGate models that support SSL acceleration also support SSL content scanning and
inspection. The following FortiGate models support SSL content scanning and inspection:
•110C
• 111C
• 310B
• 602B
• 3016B
• 3600A
• 3810A
• 5005FA2
• 5001A.
Setting up certificates to avoid client warnings
FortiGate SSL content scanning and inspection intercepts the SSL keys that are passed
between clients and servers during SSL session handshakes and substitutes spoofed
keys. Two encrypted SSL sessions are set up, one between the client and the FortiGate
unit, and a second one between the FortiGate unit and the server. Inside the FortiGate unit
the packets are decrypted.
HTTPS, IMAPS,
POP3S, or
SMTPS Server
Client Starts
HTTPS, IMAPS,
POP3S or
SMTPS session
HTTPS, IMAPS, POP3S or
SMTPS encrypted packets
accepted by firewall policy
1
Protection profile includes
SSL content scanning and
inspection
2
SSL decrypt/encrypt process
decrypts SSL sessions
using session certificate
and key
Protection Profile content
scanning and inspection
applied (antivirus, web filtering,
spam filtering, DLP,
content archiving)
3
Session encrypted
using SSL session
certificate and key
Encrypted packets
forwarded to destination
4
5
6
Protection
profile
Firewall
SSL Decrypt/
Encrypt Process
Content scanning
and inspection
3 1
2
Encrypted
packets
3 1
2
Encrypted
packets
3 1
2
Decrypted
packets
To Next Page
Loading...
