Block HTTPS sites by URL

Forum|Forum|13 years ago
April 12, 2013
14 replies
30027 views

[using FortiGate 100D v5.02] I setup the WebFilter to block some categories, like Social Networking. If a user tries to access using HTTP it works fine, blocking the access. But if the user tries using HTTPS, the access is allowed. I read about the necessity to use SSL Inspection, but if I activate it, i get some errors about certificate. Then, I found this option inside UTM >> WebFilter:

What does this option ? With this, I could block URLs access without using HTTPS Inspection ?? In my site, is not necessary Inspection under SSL Content, I just would like to block the access to websites via HTTPS...

Show previous replies

pcraponi

New Member

It' s not a good idea block using Firewall Address. First because some providers, like Google, use the same IP for more than one service. So you will block " youtube.com" and this can block " docs.google.com" too... Second because most of these services use Akamai CDN, so you will block facebook.com but will block another random site. The best way to block HTTPS sites are using SSL Inspection. Like this video: http://www.youtube.com/watch?v=-7OUDfhtc_g The problem of invalid certificate can be solved using a Active Directory to deploy to all hosts your own certificate, for example. Regards, Paulo Raponi

saziAuthor

New Member

It' s not a good idea block using Firewall Address. First because some providers, like Google, use the same IP for more than one service. So you will block " youtube.com" and this can block " docs.google.com" too... Second because most of these services use Akamai CDN, so you will block facebook.com but will block another random site. The best way to block HTTPS sites are using SSL Inspection. Like this video: http://www.youtube.com/watch?v=-7OUDfhtc_g The problem of invalid certificate can be solved using a Active Directory to deploy to all hosts your own certificate, for example. Regards, Paulo Raponi

Hello Paulo, I also think the better way to block HTTPS is with SSL Inspection, but I' m stuck in certificate' s problem... Is possible to deploy Fortinet_CA_SSLProxy to all computers at my Active Directory without a AD Certification Authority ? Or, doing this can I get problems beacuse the Fortinet_CA_SSLProxy is the same for every Fortigate ? Best regards,

pcraponi

New Member

sazi, Yes. You can deploy to all AD florest without Certification Authority: GPO Path (in attach the print screen): Computer Configuration -> Policies -> Windows Settings - >Security Settings -> Public Key Policies -> Trusted Root Certification Authorities. Right click and import Fortinet_CA_SSLProxy. As is a Computer GPO, the workstations need be rebooted after apply the GPO. Yes for your second question. This certificate is the same for all Fortigates in the world. Theoretically it is a security problem. But in " real world" it is very difficult to see an attack of this type. But you can solve this creating you own CA.

Zw69746.jpg

mbrowndcm

New Member

You' re much better off creating an offline CA with an old box. I just did this with CentOS and OpenSSL. It' s actually quite easy, and the learning curve isn' t too great. Also, check out how to configure SSL/TLS inspection using a CA on your Fortigate unit, using the CA you configured above.

Dipen

New Member

One issue with Youtube not getting blocked is that CA Certificate for youtube is having CN as *.google.com and *.youtube.com is only an Alias. I read that Fortigate Blocks HTTPS Sites using CN in certificates, Could it be that due to a generic CN in Youtube' s certificate we can face problems in Blocking. Google Drive / Google Play is also using *.google.com Certificate hence https versions cannot be blocked. GMail dosent have this issue that is why its easily blocked. Any Suggestions.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded