Skip to main content
kulas
kulas
New Member
March 5, 2018
Solved

Deep Packet inspection to Block Facebook comments, file upload, play videos, share

  • March 5, 2018
  • 2 replies
  • 6981 views

Hi all,

 

Good day!

The client wants a policy that they can access Facebook but for viewing only. They cannot do Comments, File/Status Upload and Play Videos but they can use  Facebook Messenger (App) and Messeger.com (Web). I already achieve the client's requirements but it requires to install the certificate generated from the FortiGate to avoid the Certificate Error. I just wanna confirm if this requirement of the client can achieve without using Deep Packet Inspection on the FortiGate? or is there a firmware version of the Fortigate that can achieve the same result but doesn't require Deep Packet Inspection?

 

Best regards,

    Best answer by NeilG

    Kulas,

     

    If Facebook was kind enough to use a unique url for each service  like messenger.app.facebook.com, then you might be able to get a basic level of control using certificate inspection only vs deep packet inspection.

     

    Deep inspection is required anytime you want to "see" what your users are using while encrypted.

     

    This is not specific to fortigate  - all systems that "inspect" SSL traffic have to do the same.

     

    Are you aware of a product that can inspect SSL/TLS data streams without decoding and re-sign? 

    You could take the HTTPS traffic and just show the users HTTP and thus not need to re-sign the traffic.

     

    Also if you already have an PKI, you could leverage that with your fotigate - so you don't have to use the certificate that came with your foritgate - but it does need some certificate signing certificate that the end-users computers trust.

     

    The Deep Inspection certificate requires the "keyCertSign" attribute to be set - so I doubt any reputable CertAuthority that is pre-trusted by your OS/Browser will give one out.

     

    -Neil

     

    2 replies

    NeilG
    NeilGAnswer
    New Member
    March 5, 2018

    Kulas,

     

    If Facebook was kind enough to use a unique url for each service  like messenger.app.facebook.com, then you might be able to get a basic level of control using certificate inspection only vs deep packet inspection.

     

    Deep inspection is required anytime you want to "see" what your users are using while encrypted.

     

    This is not specific to fortigate  - all systems that "inspect" SSL traffic have to do the same.

     

    Are you aware of a product that can inspect SSL/TLS data streams without decoding and re-sign? 

    You could take the HTTPS traffic and just show the users HTTP and thus not need to re-sign the traffic.

     

    Also if you already have an PKI, you could leverage that with your fotigate - so you don't have to use the certificate that came with your foritgate - but it does need some certificate signing certificate that the end-users computers trust.

     

    The Deep Inspection certificate requires the "keyCertSign" attribute to be set - so I doubt any reputable CertAuthority that is pre-trusted by your OS/Browser will give one out.

     

    -Neil

     

    slicerpro
    slicerpro
    New Member
    April 15, 2019

    Per Palo Alto, their firewalls can differentiate between different facebook.com activities. Also on you Fortigate, you can ask your internal users to accept and install the fortigate certificate from their browsers to take care of the issue on signing.

    Terms & ConditionsAccessibility statement