Skip to main content
baw_kie
baw_kie
Visitor III
July 29, 2025
Question

URL Filter Fortinet_CA_SSL

  • July 29, 2025
  • 2 replies
  • 441 views

I am using FortiManager v7.6.2 build 3415 (Feature)
I would like to block a website named scribd.com .
I created url filter and profile under Policy & Objects > Advanced > webfilter> Profile > Create Profile (name Office URL) - attached ID 14 under - Web > Urlfilter-table > ID 14
then I created url filter under Policy & Objects > Advanced > webfilter > urlfilter > Create ID > 14 > block as ( *.scribd.com < wild card.
Then I attached these under Policy & Objects > Policy Packages > FG Traffic > Office Traffic > Webfilter > attach Office URL profile .
There are no rules above on the Office Traffic.
The SSL method currently using is -
named : no inspection - but - Inspection Method is Full SSL Inspection
CA Cert : Fortinet_CA_SSL
I did Install Wizard under Device manager and choose FG Traffic
I do have License for Webfilter I cleared cache but still cannot block the web page.

Should I change the SSL no-inspection to custom-deep-inspection 
OR
One thing I notice after check with ChatGPT is - when I open the website scribd.com and check for certificate issuer - it's saying ( Let's encrypt - instead of Fortinet_CA_SSL ) . 
Should I force client PC to use Fortinet_CA_SSL

Please suggest.
Thank you.




2 replies

AEK
SuperUser
AEK
SuperUser
July 29, 2025

You can't do Web Filtering with SSL no-inspection.

You need at least certificate-inspection.

In your case you don't need deep-inspection.

AEK
    baw_kie
    baw_kieAuthor
    Visitor III
    July 30, 2025

    thanks AEK,
    Yes, this is my confuse part : when I click on SSL Inspection and edit, 
    what I see is the name is " no inspection - read only profile" but below its' Inspection Method is "Full SSL Inspection"
    Should I leave as this or I should change to " custom-deep-inspection"

    OR
    As there is CA-Cert set to Fortinet CA SSL - should I install that cert to all the client?

    Thank you

    SSL.pngSSL2.png

    AEK
    SuperUser
    AEK
    SuperUser
    July 30, 2025

    The read-only no-inspection profile doesn't inspect traffic neither certificate. I think this is a display error.

    You should use the Certificate-Inspection or just create your own. You don't need deep inspection and so you don't need to install any CA certificate on clients.

    AEK
    Terms & ConditionsAccessibility statement