SSL/SSH 检测配置文件
2026/1/14SSL/SSH 检测7.X.X大约 7 分钟
SSL/SSH 检测配置文件
配置方法
GUI
进入安全配置文件 → SSL/SSH 检测,点击新建按钮。
相关信息
预置的 custom-deep-inspection 配置文件也可直接编辑使用。
- SSL 检测选项:
- 启用 SSL 检测:
- 多个客户端连接到多个服务器:用于目标未知的通用策略,常用于出站互联网流量。
- 保护 SSL 服务器:用于特定 SSL 服务器,需在“服务证书”配置处指定服务器证书。
- 检查方法:
- SSL 证书检查(certificate-inspection):仅检查证书(到 SSL/TLS 层的头部信息),不检查加密内容。可对 ECH 做允许或阻断。
- 完整 SSL 检查(deep-inspection):检查 SSL/TLS 加密载荷内容。
- CA 证书:从已安装证书中选择用于检查/解密的 CA 证书。可点击 Download 下载证书。
- 恶意证书:配置阻断或允许潜在恶意证书。可通过“查看恶意证书定义”查看被阻断证书列表(含原因、SHA1 指纹与日期)。
- 未受信任 SSL 证书:配置服务器证书非受信任 CA 签发时的动作。
- 允许(默认)。
- 阻断。
- 忽略:仅对“deep-inspection”有效,重新签名为受信任。说明:在 GUI 中对证书检查模式配置 Ignore 不生效且不会保存。
- 可通过“查看信任 CA 列表”查看 FortiGate 信任的内置与导入 CA。
- 服务器证书 SNI 检查:检查 SSL Client Hello 消息中的 SNI 与服务器证书 CN 或 SAN 是否匹配。
- 启用(默认):不匹配时使用证书 CN 进行 URL 过滤。
- 严格:不匹配时关闭连接。
- 禁用:禁用检查。
- 强制 SSL 加密算法合规:启用/禁用 SSL 密码套件合规性检查,仅“deep-inspection”可用。
- 强制 SSL 协商过程合规:启用/禁用 SSL 协商合规性检查,仅“deep-inspection”可用。
- 基于 HTTPS 的 RPC:启用/禁用 RPC over HTTPS 流量检查,仅“deep-inspection”可用。
- 基于 HTTPS 的 MAPI:启用/禁用 MAPI over HTTPS 流量检查。
- 启用 SSL 检测:
- 协议端口映射:
- 检查所有端口:启用后使用 IPS 引擎检查所有端口。可选择是否禁用 DNS over TLS。
- HTTPS/SMTPS/POP3S/IMAPS/FTPS:若未启用“检查所有端口”,可在对应协议旁指定需要检查的端口。
- 基于 TLS 的 DNS:启用/禁用 DNS over TLS 检查。
- 加密的客户端 Hello:允许或阻止使用加密 Client Hello(ECH)的 TLS 连接,仅在“检查方法”为 certificate-inspection 时可用。
- HTTP/3 协议:
- 当检查方法为“SSL 证书检查”或 HTTPS 被禁用时,HTTP/3 固定为 Bypass 且不可修改。
- 当检查方法为“deep-inspection”时,可选 Inspect、旁路、阻断。
- 基于 QUIC 的 DNS:当检查方法为检查方法 deep-inspection 时可用。可选 Inspect、旁路或阻断。
- 免除 SSL 检查:
- 信誉良好的网站:仅“deep-inspection”可用。用于指定信誉网站、FortiGuard Web 分类或地址对象的豁免。可启用日志记录豁免。
- SSH 检测选项:
- SSH 深度检测:启用/禁用 SSH 协议深度扫描;启用后 SSH 端口可配置。
- SSH 端口:定义要检测的 SSH 协议数据包的端口:
- 任何:检测所有 SSH 流量。
- 指定:仅检测指定 TCP 端口。
- 通用选项:
- 无效的 SSL 证书:配置无效证书的放行/阻断策略。设为自定义时可分别配置过期、回收(吊销)、验证超时、验证失败等场景。深度检查下可选“保持不受信任 & 允许”、“阻断”、“信任 & 允许”。
- 记录 SSL 异常日志:启用后记录包含无效证书的会话日志,默认启用。日志生成在安全事件日志类型下的 SSL 子类型。
CLI
config firewall ssl-ssh-profile
edit <name>
set allowlist [enable|disable]
set block-blocklisted-certificates [disable|enable]
set caname {string}
set comment {var-string}
config dot
Description: Configure DNS over TLS options.
set cert-validation-failure [allow|block|...]
set cert-validation-timeout [allow|block|...]
set client-certificate [bypass|inspect|...]
set expired-server-cert [allow|block|...]
set proxy-after-tcp-handshake [enable|disable]
set quic [inspect|bypass|...]
set revoked-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
set status [disable|deep-inspection]
set udp-not-quic [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set unsupported-ssl-version [allow|block]
set untrusted-server-cert [allow|block|...]
end
config ech-outer-sni
Description: ClientHelloOuter SNIs to be blocked.
edit <name>
set sni {string}
next
end
config ftps
Description: Configure FTPS options.
set cert-validation-failure [allow|block|...]
set cert-validation-timeout [allow|block|...]
set client-certificate [bypass|inspect|...]
set expired-server-cert [allow|block|...]
set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
set ports {integer}
set revoked-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
set status [disable|deep-inspection]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set unsupported-ssl-version [allow|block]
set untrusted-server-cert [allow|block|...]
end
config https
Description: Configure HTTPS options.
set cert-probe-failure [allow|block]
set cert-validation-failure [allow|block|...]
set cert-validation-timeout [allow|block|...]
set client-certificate [bypass|inspect|...]
set encrypted-client-hello [allow|block]
set expired-server-cert [allow|block|...]
set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
set ports {integer}
set proxy-after-tcp-handshake [enable|disable]
set quic [inspect|bypass|...]
set revoked-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
set status [disable|certificate-inspection|...]
set udp-not-quic [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set unsupported-ssl-version [allow|block]
set untrusted-server-cert [allow|block|...]
end
config imaps
Description: Configure IMAPS options.
set cert-validation-failure [allow|block|...]
set cert-validation-timeout [allow|block|...]
set client-certificate [bypass|inspect|...]
set expired-server-cert [allow|block|...]
set ports {integer}
set proxy-after-tcp-handshake [enable|disable]
set revoked-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
set status [disable|deep-inspection]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set unsupported-ssl-version [allow|block]
set untrusted-server-cert [allow|block|...]
end
set mapi-over-https [enable|disable]
config pop3s
Description: Configure POP3S options.
set cert-validation-failure [allow|block|...]
set cert-validation-timeout [allow|block|...]
set client-certificate [bypass|inspect|...]
set expired-server-cert [allow|block|...]
set ports {integer}
set proxy-after-tcp-handshake [enable|disable]
set revoked-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
set status [disable|deep-inspection]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set unsupported-ssl-version [allow|block]
set untrusted-server-cert [allow|block|...]
end
set rpc-over-https [enable|disable]
set server-cert <name1>, <name2>, ...
set server-cert-mode [re-sign|replace]
config smtps
Description: Configure SMTPS options.
set cert-validation-failure [allow|block|...]
set cert-validation-timeout [allow|block|...]
set client-certificate [bypass|inspect|...]
set expired-server-cert [allow|block|...]
set ports {integer}
set proxy-after-tcp-handshake [enable|disable]
set revoked-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
set status [disable|deep-inspection]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set unsupported-ssl-version [allow|block]
set untrusted-server-cert [allow|block|...]
end
config ssh
Description: Configure SSH options.
set inspect-all [disable|deep-inspection]
set ports {integer}
set proxy-after-tcp-handshake [enable|disable]
set ssh-algorithm [compatible|high-encryption]
set ssh-tun-policy-check [disable|enable]
set status [disable|deep-inspection]
set unsupported-version [bypass|block]
end
config ssl
Description: Configure SSL options.
set cert-probe-failure [allow|block]
set cert-validation-failure [allow|block|...]
set cert-validation-timeout [allow|block|...]
set client-certificate [bypass|inspect|...]
set encrypted-client-hello [allow|block]
set expired-server-cert [allow|block|...]
set inspect-all [disable|certificate-inspection|...]
set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
set revoked-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set unsupported-ssl-version [allow|block]
set untrusted-server-cert [allow|block|...]
end
set ssl-anomaly-log [disable|enable]
config ssl-exempt
Description: Servers to exempt from SSL inspection.
edit <id>
set address {string}
set address6 {string}
set fortiguard-category {integer}
set regex {string}
set type [fortiguard-category|address|...]
set wildcard-fqdn {string}
next
end
set ssl-exemption-ip-rating [enable|disable]
set ssl-exemption-log [disable|enable]
set ssl-handshake-log [disable|enable]
set ssl-negotiation-log [disable|enable]
config ssl-server
Description: SSL server settings used for client certificate request.
edit <id>
set ftps-client-certificate [bypass|inspect|...]
set https-client-certificate [bypass|inspect|...]
set imaps-client-certificate [bypass|inspect|...]
set ip {ipv4-address-any}
set pop3s-client-certificate [bypass|inspect|...]
set smtps-client-certificate [bypass|inspect|...]
set ssl-other-client-certificate [bypass|inspect|...]
next
end
set ssl-server-cert-log [disable|enable]
set supported-alpn [http1-1|http2|...]
set untrusted-caname {string}
set use-ssl-server [disable|enable]
next
end检测所有端口
“检测所有端口”在防火墙策略的流(flow)模式与代理(proxy)模式下的行为可能不同,与“检查方法”选择“certificate-inspection”还是“deep-inspection”有关。
相关信息
防火墙策略的检测模式可参考:故障排查 → 数据包处理流程 → 安全检测模式章节。
| 策略检测模式/证书检测模式 | 检测所有端口状态 | 行为 |
|---|---|---|
| Proxy + deep-inspection | 禁用 | 仅扫描“协议端口映射”中指定端口 |
| Proxy + deep-inspection | 启用 | 扫描所有端口 |
| Flow + deep-inspection | 启用/禁用 | 扫描所有端口 |
| certificate-inspection | 禁用 | 仅扫描“协议端口映射”中指定端口(Flow/Proxy 一致) |
| certificate-inspection | 启用 | 扫描所有端口(Flow/Proxy 一致) |