New Member

Question

Block HTTPS sites by URL

Forum|Forum|13 years ago
April 12, 2013
14 replies
30027 views

[using FortiGate 100D v5.02] I setup the WebFilter to block some categories, like Social Networking. If a user tries to access using HTTP it works fine, blocking the access. But if the user tries using HTTPS, the access is allowed. I read about the necessity to use SSL Inspection, but if I activate it, i get some errors about certificate. Then, I found this option inside UTM >> WebFilter:

What does this option ? With this, I could block URLs access without using HTTPS Inspection ?? In my site, is not necessary Inspection under SSL Content, I just would like to block the access to websites via HTTPS...

SimplicityForce

New Member

I have been trying out the DNS Inspection Mode for a similar situation, and it seems to be working pretty well. You may want to give this a try. The only caveat is that you need to use the FortiGuard DNS servers, which may not be as fast or reliable as your current servers. I use the FortiGuard servers as forwarders for internal DNS with no issues yet. I hope this is helpful.

saziAuthor

New Member

I' m already using FortiGuard DNS.

I found this documentation, but I' m not sure if is it what you said. http://docs.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Handbook/UTM.005.12.html Best regards.

SimplicityForce

New Member

You activate DNS inspection under UTM >> WebFilter >> Profile Inspection Mode: DNS

okidoki99

New Member

Hi there, I also have issues with blocking https sites. web filtering for youtube and facebook is ok, but as soon as I enter https:// it will pass my filters. My device is an: Fortigate 111C v5.0,build0179 (GA Patch 2) Can someone give me a check list of what do I need to have configured so it works?

Lj23443.jpg

okidoki99

New Member

I did not figure out how to add more pictures so I will reply with 2 more...sorry for that

Db83928.jpg

okidoki99

New Member

last one

Bz77775.jpg

Staplewire

New Member

I' ve been working on this problem also. This setup seems to work for me for facebook, youtube and twitter (http and https):

Db86504.jpg

Staplewire

New Member

For youtube, you can still access the page in https but the movies won' t play.

okidoki99

New Member

facebook and youtube seems to work (i can access the page but have error on play for every movie) is there any way to get rid of that page with the certificate being expired, even on google page?

okidoki99

New Member

I found out a more elegant solution! 1. Create in Firewall Objects -> Address a FQDN record for every site that you have to block 2. [optional] Create a Group that will include all the above records 3. Create a rule in Policy->Policy that will deny the source: all and the destination the group or address in step 1-2, scheduled always with the HTTPS service and put the rule as high as possible

saziAuthor

New Member

I found out a more elegant solution! 1. Create in Firewall Objects -> Address a FQDN record for every site that you have to block 2. [optional] Create a Group that will include all the above records 3. Create a rule in Policy->Policy that will deny the source: all and the destination the group or address in step 1-2, scheduled always with the HTTPS service and put the rule as high as possible

@okidoki99 It doesn' t work for me... Could you give a look at my configs ?? SSL Inspection:

Policy:

AddressObjects:

WebFilter:

PS: I tried with facebook and Google urls...

networkingkool

New Member

is there any way to get rid of that page with the certificate being expired, even on google page?

I don' t understand your question much? But when I used SSL inspection feature I encountered certificate error page whenever I browsed to https pages. I tried to import Fortinet_CA_SSLProxy. and I never see the error pages again.

saziAuthor

New Member

I also can block HTTPS pages using SSL Inspection and WebFilter, but I got the same certificate errors. My company have more than 120 computers. I think it will not be easy to import Fortinet_CA_SSLProxy for all computers ...

Heodrene

New Member

@Sazi : if your computers are integrated in Active Directory domain, you can make a GPO to deploy the certificate.

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded