Skip to main content
esteve
esteve
New Member
June 27, 2018
Question

SSL Inspection to selected websites

  • June 27, 2018
  • 1 reply
  • 12054 views

Hello;

 

I want to accomplish what I think it makes a lot of sense for me but for some reason I didn't find a way to do it: I want to use SSL inspection ONLY for gmail, to avoid any worker uses any consumer email or a mail from any other GSuite domain. I don't want the firewall to process any other website with SSL, only gmail. I don't want to use the Application Control module, I need to minimize the resources to what it is needed, we have a Fortigate 100E and enabling the SSL deep inspection raises the CPU usage up to 40-50% because we have more than 100 people here.

 

Is there a way to do it? through GUI or CLI, I don't care, but I need that SSL inspection rule behaves like "any site but selected sites" instead of "all sites but exempted sites", since it's something I want to apply particularily to a selected number of sites, not removing it from them.

 

Thank you :)

1 reply

emnoc
emnoc
New Member
June 27, 2018

Typically it's the otherway you  make exception per-site for what you do not want to inspect. Have you  tried a wildcard FQDN in a policy rule and than enable ssl inspection for that one rule?

 

*.gmail.com    HTTPS    SSL_INSPT_PROFILE

 

 

Ken

 

 

esteve
esteveAuthor
New Member
June 27, 2018

Hi Ken;

 

I already tried but for some reason, fortigate does not allow wildcard FQDN's to be applied to Policy rules. I even tried to cheat it by making a group with some unrelated addresses and the group was appearing in the destination list to select from, but once I add any wildcard FQDN address that group dissapears from the selection list. To my understand, this is a nonsensical limitation but I don't mind as long as it can be accomplished through other way than installing Application Control module.

 

Thanks for your help :)

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
June 27, 2018

A wildcard FQDN can't be used as an src/dst address object at a policy with FGT, because it can't be translated to address(es) via DNS. If you are running 5.6.x or above, you have an option to choose an Internet Service "Google-Gmail" in GUI (in CLI, set internet-service enable/set internet-service-id 65646). The GUI shows me it includes "Total IP Ranges: 352, Total IPs: 119110". I'm not sure what exactly IP Ranges mean though.

Terms & ConditionsAccessibility statement