It's good to realize that there are some report the interface so that directly run the report on the firewall without going to the portal.. wow amazing 05:39
At 2:54 you talk about SSL exemptions from reputable sites. On the Fortigate it gives you the option to still add Web Categories and Addresses without the Reputable Websites option being selected. My question to you is, will I need to enabled this option in order for the specified Web Categories and Address I set to not be inspected or can this be left disabled yet the categories and addresses I specify will still be exempt?
Hello, i have fortigate in my gns3 and i did all the steps you said however i dont have that cloud thingy how do i know that my SSL/SSH Inspection profile is working? Thank you. I'm a student and i need it for my thesis capstone 💕
Yeah, you don't need IPS on 'this policy' because the 'example' at the beginning shows INBOUND inspection and what you set up checks OUTBOUND, so not helpful....
You should inspect inbound and outbound traffic. The configuration 5 years ago was pretty similar between the two traffic flows. Inbound just uses a vip.
Not very useful for enterprises as I am not going to add the cert manually on every machine. Hopefully there is a tutorial on how to do this on an enterprise level.
Presumably, your enterprise has an endpoint management system in place to push large scale changes. How do you currently refresh your on prem certificates?
@@imperionllc That network is nothing without users to give it any worth. Respect your users and stop snooping and being nosy! You should have enough work to do without wasting time reading other people's traffic.
@@reversedpineapple8899 There are many legitimate reasons to do this decryption, UTM's do this to scan the traffic for malware or other known code that can cause harm to the users browser or OS.
It's good to realize that there are some report the interface so that directly run the report on the firewall without going to the portal.. wow amazing 05:39
If you really want detailed reporting, you should check out the fortianalyzer.
It's very useful...Use GPO to deploy the certs and you cannot use a public CA certificate.
good catch. I'll have to re-record this on the 7.0 firmware.
I enabled shallow packet inspection on mine for faster throughput.
its always a balance between performance and security
At 2:54 you talk about SSL exemptions from reputable sites. On the Fortigate it gives you the option to still add Web Categories and Addresses without the Reputable Websites option being selected. My question to you is, will I need to enabled this option in order for the specified Web Categories and Address I set to not be inspected or can this be left disabled yet the categories and addresses I specify will still be exempt?
yes enable that
Thank you 🙏🏼
You're welcome
Hello, i have fortigate in my gns3 and i did all the steps you said however i dont have that cloud thingy how do i know that my SSL/SSH Inspection profile is working? Thank you. I'm a student and i need it for my thesis capstone 💕
What firmware?
Fortigate VM64-KVM
Yeah, you don't need IPS on 'this policy' because the 'example' at the beginning shows INBOUND inspection and what you set up checks OUTBOUND, so not helpful....
You should inspect inbound and outbound traffic. The configuration 5 years ago was pretty similar between the two traffic flows. Inbound just uses a vip.
Cant even connect to my ssh server for some useful purpose.
SSH is tricky with the certificate chain. You can exempt management traffic from deep inspection by isolating that traffic to specific policies
making others life a hell
not if you do it right 😉
Not very useful for enterprises as I am not going to add the cert manually on every machine. Hopefully there is a tutorial on how to do this on an enterprise level.
Why would you do anything manually in an enterprise environment? Push out settings from your DC using GPO.
@@firstspar I was thinking the same thing. I cant believe that he didn't mention using GPO to deploy the cert in the video.
Even more so for Education, as 99.9% of our devices are not domain connected, so no GPO....
Presumably, your enterprise has an endpoint management system in place to push large scale changes. How do you currently refresh your on prem certificates?
Pretty fly for a wifi 🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣🤣
That's one of my favorites 😁
You shouldn't be snooping into other people's business in the first place.
If they are on my network, it's not their business 🤙
@@imperionllc That network is nothing without users to give it any worth. Respect your users and stop snooping and being nosy! You should have enough work to do without wasting time reading other people's traffic.
Just block stuff from the get go and there isn't much to read.
@@reversedpineapple8899 There are many legitimate reasons to do this decryption, UTM's do this to scan the traffic for malware or other known code that can cause harm to the users browser or OS.