Skip to main content
thrillseeker
thrillseeker
New Member
February 25, 2017
Question

Web Filtering Explicit Proxy and CONNECT method

  • February 25, 2017
  • 1 reply
  • 16578 views

Hi all,

 

I just configured explicit proxy with a web filtering profile based on fortiguard web categories.

I'm wondering if it's possible on FG in explicit proxy mode to block certain Fortiguard web categories based on the URL string used in the CONNECT 443 method for SSL. Please note I don't want to use any SSL inspection profiles (certificate/full) on my explicit web proxy rules!

Since modern browsers especially Google Chrome use HSTS, SSL inspection is not an option for me at the moment. Other web proxy vendors like Bluecoat are able to handle web category filtering without any SSL inspection based on URL string being used int the CONNECT 443 method.

 

Thanks a lot for your feedback

cheers

Thrillseeker

 

    1 reply

    hmtay_FTNT
    Staff
    hmtay_FTNT
    Staff
    March 3, 2017

    Hello thrillseeker,

     

    Yes, the FortiGate is capable of doing web filtering without SSL deep-inspection. The FortiGate can inspect the SNI on the Client Hello or the server SSL Certificate. You need to enable certificate-inspection instead of deep-inspection. 

    thrillseeker
    thrillseekerAuthor
    New Member
    March 3, 2017

    Hi,

    Thanks for your feedback.

    As I wrote when the website uses HSTS certificate SNI inscpection is not a good solution.

    My question was if FG in explicit web proxy mode is able to detect client requested URL's within the CONNECT Method, without any SSL profile enabled?

     

    Thanks & Regards

    Lukas 

    hmtay_FTNT
    Staff
    hmtay_FTNT
    Staff
    March 4, 2017

    >>As I wrote when the website uses HSTS certificate SNI inscpection is not a good solution.

     

    With certificate-inspection, the FG does not do a MitM. The FG does not replace the SSL Certificate with the FG's Certificate. Whether a website uses HSTS or not, if we do not replace the SSL Certificate, you will not get a browser error. 

     

    >>My question was if FG in explicit web proxy mode is able to detect client requested URL's within the CONNECT 

     

    Yes the FG can. You can give it a try and let me know here if you cannot block a site.

    Terms & ConditionsAccessibility statement