Skip to main content
sazi
sazi
New Member
April 12, 2013
Question

Block HTTPS sites by URL

  • April 12, 2013
  • 14 replies
  • 30000 views
[using FortiGate 100D v5.02] I setup the WebFilter to block some categories, like Social Networking. If a user tries to access using HTTP it works fine, blocking the access. But if the user tries using HTTPS, the access is allowed. I read about the necessity to use SSL Inspection, but if I activate it, i get some errors about certificate. Then, I found this option inside UTM >> WebFilter: What does this option ? With this, I could block URLs access without using HTTPS Inspection ?? In my site, is not necessary Inspection under SSL Content, I just would like to block the access to websites via HTTPS...

    14 replies

    SimplicityForce
    SimplicityForce
    New Member
    April 12, 2013
    I have been trying out the DNS Inspection Mode for a similar situation, and it seems to be working pretty well. You may want to give this a try. The only caveat is that you need to use the FortiGuard DNS servers, which may not be as fast or reliable as your current servers. I use the FortiGuard servers as forwarders for internal DNS with no issues yet. I hope this is helpful.
    sazi
    saziAuthor
    New Member
    April 15, 2013
    I' m already using FortiGuard DNS. I found this documentation, but I' m not sure if is it what you said. http://docs.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Handbook/UTM.005.12.html Best regards.
    SimplicityForce
    SimplicityForce
    New Member
    April 15, 2013
    You activate DNS inspection under UTM >> WebFilter >> Profile Inspection Mode: DNS
    okidoki99
    okidoki99
    New Member
    April 19, 2013
    Hi there, I also have issues with blocking https sites. web filtering for youtube and facebook is ok, but as soon as I enter https:// it will pass my filters. My device is an: Fortigate 111C v5.0,build0179 (GA Patch 2) Can someone give me a check list of what do I need to have configured so it works?
    okidoki99
    okidoki99
    New Member
    April 19, 2013
    I did not figure out how to add more pictures so I will reply with 2 more...sorry for that
    okidoki99
    okidoki99
    New Member
    April 19, 2013
    last one
    Staplewire
    Staplewire
    New Member
    April 20, 2013
    I' ve been working on this problem also. This setup seems to work for me for facebook, youtube and twitter (http and https):
    Staplewire
    Staplewire
    New Member
    April 20, 2013
    For youtube, you can still access the page in https but the movies won' t play.
    okidoki99
    okidoki99
    New Member
    April 22, 2013
    facebook and youtube seems to work (i can access the page but have error on play for every movie) is there any way to get rid of that page with the certificate being expired, even on google page?
    okidoki99
    okidoki99
    New Member
    April 26, 2013
    I found out a more elegant solution! 1. Create in Firewall Objects -> Address a FQDN record for every site that you have to block 2. [optional] Create a Group that will include all the above records 3. Create a rule in Policy->Policy that will deny the source: all and the destination the group or address in step 1-2, scheduled always with the HTTPS service and put the rule as high as possible
    sazi
    saziAuthor
    New Member
    May 7, 2013
    I found out a more elegant solution! 1. Create in Firewall Objects -> Address a FQDN record for every site that you have to block 2. [optional] Create a Group that will include all the above records 3. Create a rule in Policy->Policy that will deny the source: all and the destination the group or address in step 1-2, scheduled always with the HTTPS service and put the rule as high as possible
    @okidoki99 It doesn' t work for me... Could you give a look at my configs ?? SSL Inspection: Policy: AddressObjects: WebFilter: PS: I tried with facebook and Google urls...
    networkingkool
    networkingkool
    New Member
    May 3, 2013
    is there any way to get rid of that page with the certificate being expired, even on google page?
    I don' t understand your question much? But when I used SSL inspection feature I encountered certificate error page whenever I browsed to https pages. I tried to import Fortinet_CA_SSLProxy. and I never see the error pages again.
    sazi
    saziAuthor
    New Member
    May 7, 2013
    I also can block HTTPS pages using SSL Inspection and WebFilter, but I got the same certificate errors. My company have more than 120 computers. I think it will not be easy to import Fortinet_CA_SSLProxy for all computers ...
    Heodrene
    Heodrene
    New Member
    May 7, 2013
    @Sazi : if your computers are integrated in Active Directory domain, you can make a GPO to deploy the certificate.
    Show more replies
    Terms & ConditionsAccessibility statement