Technical Tip: FortiClient web filter, URL path not inspected for HTTPS without SSL deep inspection

Description

This article describes a behavior where FortiClient WebFilter only inspects the domain portion of an HTTPS URL and not the full URL path, when neither SSL Deep Inspection nor the Web Browser Plugin is enabled.

When FortiClient processes an HTTPS connection, it intercepts the traffic at the TLS layer and extracts only the SNI (Server Name Indication) hostname from the TLS ClientHello. Since the URL path remains inside the encrypted tunnel and FortiClient does not decrypt it, the WebFilter engine is only able to evaluate the domain.

Scope

• FortiClient: v7.4.x, v7.6.x.

• FortiClient EMS: v7.4.x. v7.6.x.

• Platform: Windows, Linux, macOS.

Solution

Example behavior based on the fortiproxy.log file from the Diagnostic results of the FortiClient:

• www.motdepasse.xyz: Blocked correctly because the full domain is blacklisted. The engine matches at the TLS/SNI layer and triggers action=3 (block).

fid=27845 check->(26)https://www.motdepasse.xyz
fid=27845 current state: in black list
fid=27845 current state: 1, cat action: 3, class action: 3
action=3, cat=0, catName=Uncategorized, balloon=1
fid=27849 host=www.motdepasse.xyz url=/ → White=0 Black=1 Monitor=0 Exempt=0

• www.dashlane.com/fr/features/password-generator: Allowed because only www.dashlane.com is evaluated. The path '/fr/features/password-generator' never appears in any log line and is never inspected.

fid=27872 check->(24)https://www.dashlane.com
Check remote category for url: www.dashlane.com
fid=27872 iCat=52 iClass=0, m_CatAction=0, m_ClassAction=0
fid=27872 current state: 2, cat action: 0, class action: 0

Root cause:

FortiClient intercepts HTTPS at the TLS layer and extracts only the SNI hostname from the TLS ClientHello. Without decrypting the tunnel, the URL path is never visible to the WebFilter engine. This applies to both simple URL and Wildcard filter options.

As documented in this document: Web and Video Filter, FortiClient cannot perform deep inspection by default and instead leverages certificate inspection for HTTPS, which means the full URL path cannot be evaluated.

Workaround:

Two options are available to enable full URL path inspection for HTTPS:

Option 1. Web Browser Plugin (Windows only).

Enable the Web Browser Plugin for HTTPS Web Filtering in the EMS Web Filter profile:

<webbrowser_plugin>
<enabled>1</enabled>
<sync_mode>1</sync_mode>
<force_enable_in_private_mode>1</force_enable_in_private_mode>
<addressbar_only>1</addressbar_only>
<ignore_data_url>0</ignore_data_url>
</webbrowser_plugin>

Once enabled, the browser extension will intercept HTTPS requests and pass the full URL (including path) to the WebFilter engine.

Option 2. HTTPS Deep Inspection (Linux/macOS).

Enable the 'Enable HTTPS Deep Inspection' option in the EMS Web Filter profile. This is required for non-Windows platforms where the browser plugin is not supported.

Notes:

• If the Web Browser Plugin is disabled and Deep Inspection is not configured, only domain-level blocking is enforced for HTTPS traffic.

• Block pages for HTTPS sites without SSL inspection may appear as browser certificate warnings rather than a standard Fortinet block page.