Description
This article describes two methods that can be used when ssl-deep-inspection and proxy-based inspection is used on a very general firewall policy (source: Any destination: Any) and traffic to a specific website is blocked because of it.
Scope
Ensure FortiOS v6.2.2 and above is used. The goal is to allow access to specific websites whilst 'bypassing' the firewall policy which has ssl-deep-inspection and proxy-based inspection.
Only traffic to the specified website in this firewall policy will be allowed.
Solution
Method 1: (Exempt from SSL Inspection)
- Go to Policy & Objects -> Addresses -> Create New -> Address.
- Select Type FQDN. In the FQDN field, enter the FQDN to be allowed (wildcard FQDN is also possible). For example, if access to twitter.com is blocked due to ssl-deep-inspection, enter twitter.com in the FQDN field.
- Use this command in the CLI to see which IP address the newly created FQDN resolves to:
diagnose firewall fqdn list | grep twitter
For v7.0 and later:
diagnose firewall fqdn list-all | grep twitter
- It will usually be:
diagnose firewall fqdn list | grep <configured_website_name>
For v7.0 and later:
diagnose firewall fqdn list-all | grep <configured_website_name>
- Go to Security Profiles -> SSL/SSH Inspection -> Edit SSL/SSH Inspection Profile that is being used, and add the FQDN object created earlier in the Addresses field under Exempt from SSL Inspection.
Method 2 (Create another policy without deep-inspection and proxy-based enabled to allow the traffic):
- Create an FQDN object by following steps 1 and 2 in method 1.
- After that, create a new firewall policy. Policy & Objects -> IPV4 Policy/Firewall Policy -> Create New.
- This new firewall policy is essentially a clone of the existing firewall policy with flow-based inspection, ssl-certificate-inspection used with Destination as the FQDN that was just created. Refer to the attached screenshot.
Ensure the newly created FQDN firewall policy is placed on top of the existing firewall policy in the firewall policy sequence.
