Deep Inspection on FortiGate firewall with 5 Examples
Рет қаралды 18,716
Күн бұрынIn this video we will cover how to configure deep inspection on a FortiGate firewall along with 5 example scenarios where deep inspection can be used.
0:00 Overview
0:16 Configure Deep Inspection
2:27 Testing + Certificate Installation
4:09 Block QUIC Protocol
5:50 Exempt from SSL Inspection
6:42 Example1 - Virus Prevention
7:29 Example2 - Application Visibility/Control
9:42 Example3 - Video Filter
10:30 Example4 - Content Filter/Banned Word
11:12 Example5 - Safe Search
13:19 Performance Considerations
14:28 Create a DPI Certificate
17:58 Push Certificate via GPO
@fran_je3283 Жыл бұрын
The best explanation I had found about how to configure and use SSL inspection for FG, Thanks.
@vivekbannore2250 2 жыл бұрын
Short and direct to the point.
@sinnedam 9 ай бұрын
Thank you for the good explanation.
@faisal04021987 Жыл бұрын
Great Video with Clear Explanation.
@psnfilms Жыл бұрын
Incredible explanation, thanks mate!
@norbertovelazquez320 2 жыл бұрын
Great explanation!
@rexmundi273 Жыл бұрын
Great explanation, thanks.
@rajanrkv Жыл бұрын
Awesome mate, thank you😊
@user-hb4nw4mb8v Жыл бұрын
감사합니다!
@MihaiIonescu-fx3yv Жыл бұрын
Hi TTPF, great video(s), I see search support as bookmark , this means that you are already on the Dark Side!
@tothepointfortinet3823 Жыл бұрын
Lol!! Search support = lifesaver
@raffickmca Жыл бұрын
Thanks for your video, great work and I have 2 questions, 1. I disabled the deep inspection and expect from DPI, eventhough I am intermediately getting SSL fatal error received error for proxy policy 2. You uploaded the CA and Intermediate certificate to certificate authority and it show the validity of 2032 and the browser show 2022...
@Jisamaniac 6 ай бұрын
Video is much appreciated. Question can this work for Transparent Proxy?
@JheromSarmiento Жыл бұрын
Great tutorial...Just one question, how can I implement deep inspection for inbound traffic going to a public-facing website? We can't just instruct the public to install the fortinet CA cert everytime they have certificate warnings when accessing our public websites.
@tothepointfortinet3823 Жыл бұрын
You'd have to implement SSL offloading (also called inbound deep inspection) on the fortigate. And youll need to have a 3rd party CA like GoDaddy, Verisign etc to sign the cert for you since each PC/device has trusted root CAs with certs from third party CAs preinstalled
@Michael-er8dh Жыл бұрын
Hello, can we also do full ssl with firewall policy set to flow based instead of proxy based?
@tothepointfortinet3823 Жыл бұрын
Yes 👍
@Salmankhan-wb4xi Жыл бұрын
Great work, can we buy ssl and use it for outbound deep inspection ? The user will not face any issue ?
@tothepointfortinet3823 Жыл бұрын
Hi Salman, great question. You cannot purchase an SSL certificate that can be used for deep inspection, and that is because the certificate provider (ie. say GoDaddy, Verisign, Google) will not provide an intermediate certificate (ie. a certificate that can sign other certificates) because it would eliminate the purpose for a 3rd party trusted root CA -> it gets a bit technical, but it's essentially possible from a technical standpoint, but not realistic due to how public CA's work What you can do, is use the built in Fortinet certificate, or create an intermediate certificate using an internal CA (such as using Microsoft CA, XCA, FortiAuthenticator etc.). Using an internal CA is a good approach for scalability and certificate revocation.
@movisajid Жыл бұрын
@@tothepointfortinet3823 thanks for the answer, so if i wants to use deep packet inspection in workgroup environment and guest laptops/phones i have to import ssl cert manually on every device.. right
@tothepointfortinet3823 Жыл бұрын
@@movisajid Yes, the certificate needs to be on every device. As for whether you have to do it manually, or if there is an automatic alternative -> I haven't experienced this in a non-GPO environment. I'm sure there is a way to do it at scale, one thing that comes to mind is something like a NAC solution, but this would require some time/consideration.
@Salmankhan-wb4xi Жыл бұрын
@@tothepointfortinet3823 so is it intermediate certificate authority on FortiGate ?
@tothepointfortinet3823 Жыл бұрын
@@Salmankhan-wb4xi Sort of. The FortiGate comes with an intermediate certificate that can be used for Deep Inspection -> it's automatically created and you can't for example go on the FortiGate and create more intermediate certificates to use for DPI -> if you want an application that can generate certificates (including intermediate certificates) then you could use FortiAuthenticator, or XCA, or Microsoft CA
@0x4b55 2 жыл бұрын
Blockig QUIC is still the answer? It is not a Google protocol but in the meantime standardized by the IETF. The Firewall Vendors should Start to learn how to do Deep Inspektion on QUIC…
@truantj Жыл бұрын
Deep Inspection of HTTP3 over QUIC is supported in 7.2.0 and newer.
Rakshit Vidyarthi
Рет қаралды 3,2 М.
ToThePoint Fortinet
Рет қаралды 33 М.