Skip to main content
Allwyn_Mascarenhas
Allwyn_Mascarenhas
New Member
December 18, 2015
Solved

https blocked with app control and no ssl certificate installed

  • December 18, 2015
  • 2 replies
  • 24180 views

HI FortiGuys,

 

One of my clients wanted to block fb but without using ssl inspection as he didn't want to install the cert to 100s of his staff computers.

 

I explained that with that there would be no other way to get it done.

 

Then to convince the client I opened a fortinet ticket and got the same response that this can't be done without the ssl inspection and cert installation.

 

Now this guy hired some other service provider and those guys simply blocked social media signatures in app control and applied it to the policy and IT HAS WORKED.

 

It doesn't say "fortiguard blocked" but just keeps the loading icon spinning and fb doesn't load at all.

 

The whole situation is turning so embarrassing.

 

Please tell me if this is a proper workaround? Will this work in the long term? How is this even working, looks like the browser simply doesn't complete the request in some way.

 

Please any explanation here, thanks.

Best answer by hmtay_FTNT

Hello,

 

Let me explain. To block most of the SSL applications, all that is required is certificate-inspection, not necessarily deep-inspection. Deep-inspection allows the Fortigate to identify more specific features of let's say Facebook - like Facebook_Chat and Facebook_Video. If your requirement is simply to block the application entirely, setting Facebook to Block with certificate-inspection is enough. The Fortigate parses the SNI in the SSL session to decide what's the hostname of the session's destination.

 

>>It doesn't say "fortiguard blocked" but just keeps the loading icon spinning and fb doesn't load at all.

 

If a SSL session is blocked without deep-inspection enabled - meaning only certificate-inspection - is used, the Fortigate will not be able to send a replacement message. The replacement message is sent on a "best attempt" basis, meaning there will be some scenarios where the Fortigate cannot send the replacement message without breaking the fundamentals of the HTTP protocol.

 

HoMing

2 replies

Ralph1973
Ralph1973
New Member
December 21, 2015

I think this is liaised with dns. I work with a customer who I configured application control for. Their HA cluster doesn't have ssl inspection enabled, but facebook still shows up in the application logs. Also when you enable certificate inspection, the certificate domain name is readable. I always assume(d) that the FGT uses the dns entries. But I will follow this thread to know it maybe for sure.

 

Kind regards,

Ralph Willemsen

Arnhem, Netherlands

Allwyn_Mascarenhas
Allwyn_MascarenhasAuthor
New Member
January 4, 2016

Thanks for the response ralph.

 

fortigate TAC did not even mention this is a way to block https websites and this has created an issue for us now.

 

will this successfully block the sites or is there a chance of them opening up at some point?

Ralph1973
Ralph1973
New Member
January 4, 2016

Hello Allwynmasc, I did a quick check and I noticed that most/all(?) applications are recognized (e.g. Skype, Google)

I don't think it will notice subitems , like on on facebook (e.g. chat or video) but I recommend you to test it.

I think it will be succesfully blocked for what I have seen. Please let me know if you find something.

 

Regards,

Ralph Willemsen

hmtay_FTNT
Staff
hmtay_FTNTAnswer
Staff
March 23, 2018

Hello,

 

Let me explain. To block most of the SSL applications, all that is required is certificate-inspection, not necessarily deep-inspection. Deep-inspection allows the Fortigate to identify more specific features of let's say Facebook - like Facebook_Chat and Facebook_Video. If your requirement is simply to block the application entirely, setting Facebook to Block with certificate-inspection is enough. The Fortigate parses the SNI in the SSL session to decide what's the hostname of the session's destination.

 

>>It doesn't say "fortiguard blocked" but just keeps the loading icon spinning and fb doesn't load at all.

 

If a SSL session is blocked without deep-inspection enabled - meaning only certificate-inspection - is used, the Fortigate will not be able to send a replacement message. The replacement message is sent on a "best attempt" basis, meaning there will be some scenarios where the Fortigate cannot send the replacement message without breaking the fundamentals of the HTTP protocol.

 

HoMing

fjulianom
fjulianom
Explorer II
March 23, 2018

Hi HoMing,

 

It makes much sense. That answers the question of my other post:

 

https://forum.fortinet.com/tm.aspx?m=157911

 

Very well explanation. Thanks for clarifying.

 

Regards,

Julián

Terms & ConditionsAccessibility statement