Secure Sockets Layer (SSL) is a critical feature in modern networks which rely heavily on encrypted communication. Today, over 90% of web traffic is encrypted using SSL/TLS, which protects sensitive information, including credentials, financial data, and personal records. While encryption provides privacy and security for users, it also introduces a major challenge for security teams as threats are now hidden inside encrypted traffic.
In the blog/article, we are going to be talking about
Why SSL traffic must be inspected
How SSL inspection works
How FortiGate performs SSL inspection
Step-by-step configuration
Security, privacy, and performance considerations
What is SSL Inspection 🧩
SSL Inspection is the process of decrypting encrypted traffic, inspecting it for threats, and re-encrypting it before forwarding it to the intended destination.
Types of SSL Inspection
Certificate
- Inspect the SSL/TLS handshake
- Verifies the identity of the web server
- Used in web filtering
Deep Inspection
- Decrypts incoming traffic to inspect it
- If safe, re-encrypts the traffic and sends it to the recipients
- Used with all types of security scanning
Why SSL traffic must be inspected 🤖
HTTPS offers protection by applying encryption to web traffic; however, it also introduces a potential security risk because attackers may attempt to use encrypted traffic to get around your network's normal defences. Attackers use HTTPS to bypass traditional security controls. Without SSL inspection, Malware downloads appear as normal HTTPS sessions, and phishing pages load without detection. SSL inspection allows security devices to decrypt, inspect, and re-encrypt traffic in real-time.
Moreover, Zero-Trust & Modern Security Models Require Visibility. Security models depend on continuous verification and inspection. Without SSL visibility, the security stack cannot:
- Apply antivirus scanning
- Enforce content filtering
- Detect intrusion signatures
Client → Encrypted Traffic → FortiGate → Decrypt → Inspect → Re-Encrypt → Server
How FortiGate Performs SSL Inspection
FortiGate acts as a trusted intermediary between client and server using a controlled Man-in-the-Middle (MITM) approach.
Process
Client initiates HTTPS connection
FortiGate intercepts the handshake
FortiGate presents its own certificate to the client
FortiGate establishes a secure session with the server
Traffic is decrypted inside FortiGate
Security profiles inspect traffic
Traffic is re-encrypted and forwarded
This is possible only if client devices trust FortiGate’s CA certificate.
Certificate Warnings ⚠️
A common challenge when deploying Full SSL Inspection is the appearance of certificate warnings on client devices. These warnings occur because FortiGate dynamically generates certificates for each HTTPS site and signs them using its own internal Certificate Authority (CA). If the client device does not trust this CA, the browser interprets the connection as untrusted and displays warnings such as “Your connection is not private.” From the browser’s perspective, this looks identical to a malicious man-in-the-middle attack, even though it is a legitimate enterprise security process.
To eliminate these warnings, the FortiGate CA certificate must be exported from the firewall and installed into the Trusted Root Certification Authorities store on all client devices (Windows, macOS, mobile devices, and in some cases, individual browsers). Once the CA is trusted, browsers accept the dynamically generated certificates without errors and encrypted traffic can be inspected transparently. This step is mandatory for any stable SSL inspection deployment.
Configuration Walkthrough: FortiGate GUI
Step 1: Create SSL Inspection Profile
Security Profiles → SSL/SSH Inspection → Create New
Choose:
Full SSL Inspection for high security
Certificate Inspection for lightweight environments
Enable:
HTTPS
SMTPS
FTPS
POP3S / IMAPS (if required)
Step 2: Install FortiGate CA Certificate on Clients
System → Certificates → Export Fortinet_CA_SSL
Install certificate in:
Windows Trusted Root Certification Authorities
macOS Keychain
Mobile Device MDM
Browser trust store (if needed)
-Without this step, users will receive certificate warnings.
Step 3: Apply SSL Inspection in Firewall Policy
Policy & Objects → Firewall Policy → Edit Policy
Under Security Profiles:
Enable SSL Inspection
Select your created SSL profile
Enable AV, IPS, Web Filter, Application Control, etc.
Traffic flow now becomes fully inspectable.
Configuring SSL Inspection in Firewall Policy 🪛
Why It Matters: SSL inspection does nothing until applied to a firewall policy. This is where enforcement actually happens.
Policy Example
Source: Internal Network
Destination: Internet
Service: HTTPS
Action: Accept
Security Profiles: Enabled
SSL Inspection Profile: Full_SSL_Inspection
This ensures every HTTPS session passing through that policy is inspected.
You can also create exceptions for certain conditions, like:
Bypass inspection for banking sites
Exempt healthcare portals
Exclude sensitive internal systems
Best practices 🚔
Use hardware acceleration (CP9 / NP6 / NP7 chips)
Apply inspection only where necessary
Avoid decrypting low-risk traffic
Monitor system resources
Conclusion 🚛
Encrypted traffic is now the dominant carrier of modern cyber threats. Without SSL inspection, organisations operate blind to the majority of malicious activity on their networks.
FortiGate’s SSL inspection capabilities provide the visibility and control required to defend against modern attack techniques when implemented responsibly, securely, and efficiently.
By combining proper configuration, performance tuning, legal compliance, and best practices, security teams can fully leverage SSL inspection as a powerful defence mechanism in today’s threat landscape.
Top comments (0)