Description
This article describes how to exempt Webex for SSL Inspection.
Solution
Here is a step by step guide:
1. Configure firewall address which point towards your webex servers.
config firewall addressedit "webex1"set subnet 62.109.192.0/18next...edit "webex9"set subnet 210.4.192.0/20nextend
2. Configure a firewall address group
config firewall addrgrpedit "WEBEX"set member "webex1" "webex2" "webex3" "webex4" "webex5" "webex6" "webex7" "webex8" "webex9"nextend
3. Configure your firewall SSL-SSH profile:
config firewall ssl-ssh-profileedit "https"config httpsset ports 443endconfig ftpsset ports 990set status disableendconfig imapsset ports 993set status disableendconfig pop3sset ports 995set status disableendconfig smtpsset ports 465set status disableendconfig ssl-exemptedit 1set type addressset address "WEBEX"nextendnext4. Create your firewall policy.end
On FortiOS 5.6 the administrator can create a Firewall Policy and add an Internet Service as the destination Address. Therefore, while creating a Firewall Policy on top of the sequence list, select your desired Incoming Interface, Source Address and Outgoing Interface and select Cisco-Webex as the Destination. Moreover, you will apply NAT if needed and disable any SSL inspection for this traffic.
config firewall policyedit <Policy ID>set name "Webex"set srcintf "lan"set dstintf "wan1"set srcaddr "all"set internet-service enableset internet-service-id 1966183set action acceptset schedule "always"set nat enablenext"Exempt list" is only available if the SSL Inspection profile is using "Deep-inspection" optionend
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.