Skip to main content
Longin
Longin
New Member
April 21, 2022
Question

SSL inspection problem - not all pages are inspected

  • April 21, 2022
  • 2 replies
  • 13282 views

Good morning.

I have a problem, maybe someone can help me.

I tested ssl and ssh connections on myself for testing. From the exclusions, I set only 2 categories proposed by forti, i.e. related to health, banking and finances. From the excluded pages section, I removed all the default pages. Unfortunately, I see on several pages, e.g. https://www.youtube.com, https://www.dobreprogramy.pl, that pages do not have the certificate changed by my FortiGate. In the remaining options I paid for blocking, but still nothing changed.

PS. I have firmware 7.0.5

 

Thanks for any help.

Best regards,

Longin.

2 replies

jintrah_FTNT
Staff
jintrah_FTNT
Staff
April 21, 2022

Hi Longin,

 

It is most likely the ssl inspection profile used is a certificate inspection profile rather than deep inspection profile.

 

Best regards,

Jin

Longin
LonginAuthor
New Member
April 21, 2022

Hi Jin,
Thank you for your answer. I have the Inspection method set to Full SSL Inspection.
Generally, when I check the padlock on most sites, the exhibitor is my FortiGate, but not everywhere. I wonder why.

I don't really understand this SNI setting and set disable for testing. Overall, I have set my policy very strictly.

in attached photo you have a configuration with GUI SSL Inspection.PNG

 

Best regards,

Longin.

seshuganesh
Staff
seshuganesh
Staff
April 21, 2022

Hi Team,

 

 

Regarding the SNI setting:

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

 

You mentioned some websites in the pad lock not showing fortigate serial number. Usually this will happen only if the specific websites are under bypass list.

Could you please let us know the some website names which is happening?

Also, are you using flow based firewall policy or proxy based firewall policy?

 

KemalB
KemalB
Visitor III
March 8, 2024

Hi, Longin and to anyone, I experienced same issue. I applied application control and block google quic for fix this issue. I can full inspecting for https connection for google and youtube now.


01.png

Terms & ConditionsAccessibility statement