Why Deep Packet Inspection (DPI) Breaks Guest Wi-Fi (And How to Fix It on Fortinet FortiGate)

Introduction

Deep Packet Inspection — what FortiGate calls Full SSL Inspection — is one of the most powerful tools in a firewall administrator’s kit. Rather than treating encrypted traffic as an opaque tunnel, the firewall sits in the middle of the conversation, decrypts it, inspects the contents against your security profiles (antivirus, web filtering, IPS, DLP), re-encrypts it, and sends it on its way. On a corporate, domain-joined fleet of laptops, this is fantastic. It’s how you catch malware hiding inside an HTTPS download or stop data exfiltration over what looks like an innocuous web request.

So it’s an entirely reasonable instinct to think: “If Full SSL Inspection is good for my corporate VLAN, it must be even more important on my Guest Wi-Fi — that’s where the untrusted, unmanaged devices live.”

This is the trap that catches out a huge number of otherwise-competent network administrators. You roll out a guest SSID, apply the same Deep Inspection profile you use internally, and within the hour your phone is buzzing with helpdesk tickets: “Wi-Fi says it’s not secure,” “the guest network has no internet,” “my banking app won’t open.” You haven’t made the guest network safer — you’ve made it unusable, and arguably less secure, because frustrated users will simply tether to their cellular data and bypass your visibility entirely.

This post explains exactly why DPI and guest/BYOD networks are fundamentally at odds, and lays out the FortiGate architecture that gives you real security and visibility on guest Wi-Fi without setting your helpdesk queue on fire.

The Core Problem: The Trust Gap

How Full SSL Inspection actually works

To inspect encrypted traffic, the FortiGate has to perform a sanctioned Man-in-the-Middle (MitM). When a client opens an HTTPS connection to, say, https://example.com, here’s what really happens under Full SSL Inspection:

  1. The client’s TLS request hits the FortiGate.
  2. The FortiGate opens its own TLS session to example.com on the client’s behalf, and inspects the real certificate the destination server presents.
  3. Simultaneously, the FortiGate generates an on-the-fly certificate for example.com, signed by its own internal Certificate Authority (CA) — on FortiGate this is typically the Fortinet_CA_SSL certificate (or a custom imported CA).
  4. The FortiGate presents that certificate to the client.
  5. The client’s browser/OS checks whether it trusts the CA that signed the certificate it just received.

That last step is where everything lives or dies.

Why unmanaged devices fail step 5

On a corporate, domain-joined Windows estate, you push the FortiGate’s CA certificate out to every machine via Group Policy or your MDM/EMM platform. The device implicitly trusts the FortiGate’s forged certificates because you told it to. The MitM is “sanctioned” — the device and the firewall are, in effect, in on it together.

A guest’s iPhone, a contractor’s personal laptop, or an employee’s BYOD Android handset has never seen your CA certificate and never will. As far as that device is concerned, a third party (your firewall) has just intercepted its supposedly-private connection to its bank and presented a certificate signed by an authority it has no reason to trust. The device’s TLS stack does exactly what it was designed to do: it screams.

The visible consequences

  • “Your connection is not private” / “Connection Not Private” warnings — every single HTTPS site the guest visits throws a full-page browser interstitial. Most users have been trained (correctly!) to treat this as a sign they’re about to be phished, and they either give up or — worse — click through warnings reflexively, undoing years of security awareness training.
  • Hard blocks from HTTP Strict Transport Security (HSTS) — this is the silent killer. Sites that enrol in HSTS (and HSTS preload lists baked directly into Chrome, Safari, and Firefox) instruct the browser: “Never, under any circumstances, accept an invalid or untrusted certificate for this domain — and don’t even offer the user a click-through option.” For HSTS-preloaded domains (which include most major banks, Google, and social platforms), there is no warning page to click through. The connection simply fails, with no recourse for the user and no useful error for you to troubleshoot.

You haven’t built a security control. You’ve built a wall between your guests and the internet they came to use.

Technical & Operational Friction Points

Beyond the headline certificate problem, Full SSL Inspection on a guest network creates friction at every layer of the stack.

Administrative overhead

  • You cannot deploy a CA certificate to a transient population. Guests are, by definition, devices you don’t manage and will likely never see again. There is no MDM enrolment, no GPO, no onboarding flow that scales to “anyone who asks for the Wi-Fi password.” Some vendors suggest a captive portal that walks users through manually installing a root certificate — in practice this is a multi-step, platform-specific process that a non-technical visitor will abandon, and one that (rightly) makes security-conscious guests deeply uncomfortable about installing an unknown root CA on their personal device.
  • Helpdesk tickets multiply. Every certificate warning, every “no internet” notification, and every crashed app generates a support interaction — for a network segment that exists specifically to reduce the support burden on your team.

Application failures from certificate pinning

Many modern mobile applications — banking apps, messaging platforms, and social media clients chief among them — implement certificate pinning (or public key pinning). Instead of trusting whatever certificate the OS trust store says is valid, the app hard-codes (pins) the expected certificate or public key for its own backend.

When that app sees the FortiGate’s forged certificate instead of the pinned original, it doesn’t show a polite warning dialog — because it isn’t relying on the OS TLS stack’s UI at all. It simply refuses the connection at the code level. The result, from the user’s perspective, is that the app crashes, hangs on a spinner indefinitely, or silently fails to load any data. There is no error message pointing at Wi-Fi, no certificate warning to scrutinise — just a broken app, and a guest who assumes either their phone or your network is faulty.

OS-level quirks: captive portal detection false positives

Both Android and iOS run a lightweight connectivity check the moment they associate with a new Wi-Fi network — Apple hits endpoints like captive.apple.com, Google uses connectivitycheck.gstatic.com and similar. The OS expects a specific, predictable plaintext (or specifically-certificated) response. If it gets anything else — including a FortiGate-forged certificate where it expected the real one, or an inspected/rewritten payload — the OS concludes it has hit a captive portal it doesn’t recognise, or simply that there’s no internet connectivity at all.

The practical result: guests see a “No Internet, Open Network” or “Sign in to Wi-Fi Network” prompt the instant they connect — before they’ve even opened a browser — regardless of whether their actual internet access works fine. It’s one of the most confusing failure modes for end users, because the device is telling them the network is broken at the OS level, seconds after they typed in the password you gave them.

The Resource Drain

Even setting the user-experience disaster aside, Full SSL Inspection is expensive to run. Decrypting, inspecting, re-encrypting, and re-transmitting every single TLS session is one of the most CPU- and memory-intensive operations a FortiGate performs — which is precisely why Fortinet builds dedicated CP (Content Processor) and SPU (Security Processing Unit) ASICs into its higher-end appliances specifically to offload this work.

Now consider what guest Wi-Fi traffic actually looks like in 2026: it’s overwhelmingly video streaming (YouTube, Netflix, social media video feeds), large software and OS updates, and bulk media transfer — much of it long-lived, high-bitrate, and entirely uninteresting from a security-inspection standpoint. Running all of that through full decryption burns CPU cycles and proxy session memory that would be far better spent protecting traffic that actually matters — your internal, managed estate. On mid-range appliances without generous SPU headroom, a busy guest SSID running Full SSL Inspection can measurably degrade performance for every other policy on the box.

The Solution: The Best Practice FortiGate Architecture

The right mental model for guest and BYOD security isn’t “decrypt and inspect everything, just like the corporate network.” It’s “isolate, classify, and observe — without breaking trust.” Here’s the blueprint.

Step 1 — Isolate the guest network properly

Before you touch SSL inspection settings at all, make sure the fundamentals are in place:

  • Guest SSID on its own VLAN/interface, with a dedicated firewall policy set.
  • Intra-guest device isolation enabled on the FortiAP/SSID profile (so guests can’t see or attack each other).
  • Explicit deny rules preventing any guest-to-internal-network routing — guest traffic should have one path: outbound to the internet.

Step 2 — Replace “Deep Inspection” with “Certificate Inspection”

This is the single most important change. In your guest firewall policy, set the SSL Inspection profile to certificate-inspection (sometimes shown in the GUI as the default certificate-inspection profile) instead of a deep-inspection/Full SSL Inspection profile.

Certificate Inspection (also referred to as SSL handshake inspection) does not decrypt the session at all. Instead, the FortiGate inspects the unencrypted parts of the TLS handshake — specifically the Server Name Indication (SNI) field in the Client Hello, and the server’s real certificate Common Name/SAN in its response — and makes its filtering decision based on that. The client and server complete a normal, untampered TLS handshake and trust each other directly. No forged certificate is ever presented, so:

  • No “Connection Not Private” warnings.
  • No HSTS hard failures.
  • No certificate-pinning crashes.
  • No captive-portal false positives.

You give up the ability to inspect the contents of encrypted sessions — but for a guest network, that’s the correct trade-off. You’re not trying to perform DLP on a visitor’s personal banking session (and arguably, you have no business doing so). You’re trying to make sure they aren’t browsing to known-malicious or inappropriate destinations, and SNI-based filtering does exactly that.

Step 3 — Configure FortiGuard Web Filtering against the SNI

With Certificate Inspection in place, attach a Web Filter profile to the same policy. The FortiGate will categorise and block destinations using the FortiGuard category database matched against the SNI/CN — letting you block malware, phishing, and inappropriate-content categories cleanly, with zero decryption.

Step 4 — Use the Internet Service Database (ISDB) for clean, low-overhead control

Rather than writing brittle IP/port rules, use ISDB objects in your guest policy to allow or deny entire well-known services by name (e.g., allow Google-Services, Apple, Microsoft-365; deny categories you don’t want traversing the guest segment). ISDB entries are maintained by Fortinet and updated automatically via FortiGuard, which means your guest policy stays accurate without constant manual upkeep — and because matching happens on pre-classified service objects rather than full-content inspection, it’s dramatically lighter on the firewall’s CPU.

Step 5 — Apply Application Control for visibility and bandwidth shaping

Layer an Application Control profile onto the policy to identify traffic by application signature (streaming video, P2P, social media, gaming, etc.) — again, without decrypting payloads. Pair this with traffic shaping policies to cap or de-prioritise bandwidth-heavy categories like video streaming, so three guests binge-watching video don’t degrade the experience (or your uplink) for everyone else, including your business-critical traffic.

Step 6 — Add IPS for network-layer protection

Finally, attach an IPS profile (using a guest-appropriate sensor) to catch network-layer exploitation attempts — port scans, known exploit signatures, botnet C2 callbacks — all of which are visible without touching the encrypted payload at all.

The end result: a guest policy stack of Certificate Inspection → Web Filter → ISDB → Application Control → Traffic Shaping → IPS that gives you strong, defensible security and rich visibility, while leaving every guest’s TLS session exactly as intact and trustworthy as the internet expects it to be.

Conclusion & Call to Action

Deep Packet Inspection isn’t a “more security is always better” dial you can turn up indiscriminately. It depends entirely on a chain of trust between the firewall and the endpoint — a chain that simply does not exist for guest and BYOD devices, and that you have no realistic way of building. Forcing the issue doesn’t make your guest network safer; it makes it hostile to the very users it exists to serve, while quietly burning your appliance’s CPU on traffic that was never the real risk in the first place.

The better posture for guest Wi-Fi is to stop trying to see inside the encrypted conversation, and instead get excellent at isolation, classification, and visibility around it: lock guests into their own segment, classify and filter by SNI and ISDB, shape what they consume, and watch for anomalies with IPS. That’s a security model that works with the architecture of the modern web instead of fighting it.

If you’re currently running Full SSL Inspection on a guest or BYOD SSID and wondering why your helpdesk queue won’t quiet down — that’s your answer. Open your guest firewall policy, swap the SSL Inspection profile from Deep Inspection to Certificate Inspection, and layer on Web Filtering, ISDB, and Application Control as described above. Your guests get a network that simply works, and you get the visibility and control you actually need — without a single forged certificate in sight.