Skip to main content
jft3166
jft3166
New Member
May 3, 2017
Question

How to block https sites whitout ssl inspection

  • May 3, 2017
  • 3 replies
  • 63880 views

Hi everybody,

I have a fortigate 800C in 5.4 version.

I want to block HTTPS sites with the webfilter, but in my business we can't use ssl inpesction, it's fordibiden in relation to the law in France...

Do you know how I can block https sites whitout ssl inspection ?

I know the solution with a DNS server to redirect domains to a specific page or the solution to block the IP but it's too boring and not completely efficient.

Thanks for your answers.

best regard.

jft

3 replies

EMES
EMES
New Member
May 3, 2017

First create address objects with the FQDN of the websites you want to block. Then create a security policy going from inside to outside, service https, and the new address objects. I think that should block the https version of the website. Depending on how many website you are blocking this may get a bit much because of the DNS lookup the firewall has to do when it processes the policy and the IP may not be the same every time, https://forum.fortinet.com/FindPost/118125 .

 

You can also create two different policies one for service HTTP and one for HTTPS, and attach different web filtering profiles to them. Blocking the sites you want on the HTTPS side. It will take more work to maintain both profiles but it should get you what you need.

hmtay_FTNT
Staff
hmtay_FTNT
Staff
May 4, 2017

Hello jft,

 

You do not need to enable deep-inspection to block most HTTPS sites. In your policies, if you enable "certificate-inspection" under SSL Inspection, the FortiGate will scan the Client Hello SNI or the Server Certificate commonName. It will not do a man-in-the-middle interception.

 

For e.g. if you add a Static URL filter for "*.facebook.com". It will work for HTTP and HTTPS sessions. 

 

HoMing

    jft3166
    jft3166Author
    New Member
    May 9, 2017

    Hello EMES and hmtay_FTNT,

     

    Thank you very much for your answer !! I will try your solutions.

     

    The solution of Emes is good but may be heavy to create all the objets whith fqdn.

     

    The solution of hmtay_FTNT seems better but it's appairs the page  "the connexion is not secured, add an exception... (page for problem of certificates) and after it appairs the message of Fortinet which says : "Web Page Blocked".

    The result is good because the pages are blocked! Pity there is this problem of page unsecured...

     

    Thanks !

     

    Jft

    shennar
    shennar
    New Member
    May 26, 2017

    I have the same Problem.

    when i block https website i got error certificate not the block page from Fortigaurd

    Bromont_FTNT
    Staff
    Bromont_FTNT
    Staff
    May 26, 2017

     

    shennar, you are getting the block page from the Fortigate but it's HTTPS and thus presenting the Fortigate certificate. Your broswer expects HTTPS AND the certificate to match the site you're attempting to visit so it presents the certificate error. 

    shennar
    shennar
    New Member
    May 30, 2017

    thank you Bromont_FTNT

     

    Is there any way i can disable ssl inspection

    because with upgrade to version 5.6 if you want to enable web filter you must enable ssl inspection.

    Terms & ConditionsAccessibility statement