SSL deep inspection (DPI) is a critical security function that allows FortiSASE to decrypt and inspect the actual payload of encrypted traffic (such as HTTPS, SMTPS, and FTPS) to identify and block hidden threats.

The Role of the CA: For this process to occur, FortiSASE must act as a "man-in-the-middle" by intercepting the SSL session, decrypting it for inspection, and then re-encrypting it before sending it to the endpoint.2 To re-encrypt the traffic, FortiSASE acts as a Certificate Authority (CA) and signs a new certificate for the destination website on the fly.

Certificate Types: This CA role can be fulfilled using the default self-signed certificate provided by Fortinet (typically Fortinet_CA_SSL) or a certificate issued by an organization's internal/private CA. Publicly trusted third-party CAs (like DigiCert or Let's Encrypt) do not sell CA-capable certificates that can be used for this type of inspection.

Client Machine Requirement: Because the endpoint’s browser or operating system will not natively trust a certificate signed by a private or self-signed CA, the root CA certificate must be imported into the Trusted Root Certification Authorities store on all managed client machines. Failure to do so results in persistent certificate warnings or blocked connections for the end user.

Supported Features: Once enabled, SSL deep inspection provides the necessary visibility for high-level security features to function, including Antivirus, Web Filtering, Data Loss Prevention (DLP), File Filter, and Application Control.