FortiGate Application Control security profile uses application signatures (provided and updated by FortiGuard) for identifying, allowing or blocking network traffic related to those applications.
Some applications require the use of SSL deep inspection, e.g. using deep-inspection SSL certificate security profile in the firewall policies matching those application so they can be properly identified.
Two different methods can be used to identify which application (from FortiGuard’s Application Control Signatures) require the use of SSL deep inspection to be properly identified.
Method 1 - From FortiGate GUI#
FortiGate GUI allows to verify which application requires the use of SSL deep inspection. Follow these steps:
- Navigate to
Security Profiles > Application Signatures. - Search the desired application and hover over the application name:
If the Requirements value is “🔒 SSL Deep Inspection” the use of a SSL certificate inspection profile like deep-inspection is required.
Method 2 - From FortiGuard Labs website#
FortiGuard Labs website (https://fortiguard.fortinet.com/appcontrol) provides a database of applications where we can confirm if SSL deep inspection is required for a desired application.
- Go to https://fortiguard.fortinet.com/appcontrol
- Click on the 🔍icon at the top-right and search for your desired application:
- Multiple results regarding your search may come up, including not only applications but also vulnerabilities, virus and more. Click on your desired application:
- The table at the right side indicate if
SSL Deep Inspectionis required or not:
SSL Deep Inspection value as NO, however the application does need it. This is because when both TCP ports 80 and 443 are used by the application, FortiGuard Labs mark this application as NO. In practice, it’s required to enable deep inspection to properly identify those apps. The recommended way to know if an application needs deep inspection is verifying the vendor’s website.