FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jvergara
Staff
Staff
Description
This article describes how to exempt Webex for SSL Inspection.
Solution

Here is a step by step guide: 

1. Configure firewall address which point towards your webex servers. 

config firewall address
    edit "webex1"
        set subnet 62.109.192.0/18
    next

...

    edit "webex9"
   set subnet 210.4.192.0/20
    next
end

2. Configure a firewall address group 

config firewall addrgrp
    edit "WEBEX"
        set member "webex1" "webex2" "webex3" "webex4" "webex5" "webex6" "webex7" "webex8" "webex9"
    next
end

3. Configure your firewall SSL-SSH profile:

config firewall ssl-ssh-profile
    edit "https"
            config https
                set ports 443
            end
            config ftps
                set ports 990
                set status disable
            end
            config imaps
                set ports 993
                set status disable
            end
            config pop3s
                set ports 995
                set status disable
            end
            config smtps
                set ports 465
                set status disable
            end
            config ssl-exempt
                edit 1
                    set type address
                    set address "WEBEX"
                next
            end
    next
end

4. Create your firewall policy.

On FortiOS 5.6 the administrator can create a Firewall Policy and add an Internet Service as the destination Address. Therefore, while creating a Firewall Policy on top of the sequence list, select your desired Incoming Interface, Source Address and Outgoing Interface and select Cisco-Webex as the Destination. Moreover, you will apply NAT if needed and disable any SSL inspection for this traffic. 


config firewall policy
    edit <Policy ID>
        set name "Webex"
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "all"
        set internet-service enable
        set internet-service-id 1966183
        set action accept
        set schedule "always"
        set nat enable
    next
end



"Exempt list" is only available if the SSL Inspection profile is using "Deep-inspection" option
Internal Notes



Contributors