Description
This articles describes the methods that can be used when ssl-deep-inspection and proxy-based inspection is used on a very general firewall policy (source: Any destination: Any) and that traffic to a specific website is blocked because of it.
Scope
Ensure FortiOS 6.2.2 and above is used. The goal of this is to enable access to specific websites whilst 'bypassing' the firewall policy which has ssl-deep-inspection and proxy-based inspection.
Only traffic to the specified website in this firewall policy will be allowed.
Solution
1) Go to Policy & Objects -> Addresses -> Create New -> Address.
2) Select Type FQDN.
3) FQDN. Here, use a wildcard FQDN too. For example, if access to twitter.com is blocked due to ssl-deep-inspection, inside the FQDN field, enter twitter.com
4) Use this command in the CLI to see which IP address the newly created FQDN resolves to:
# diag firewall fqdn list | grep twitter
5) It will usually be:
# diag firewall fqdn list | grep <configured_website_name>
6) After this, create a new firewall policy. Policy & Objects -> IPV4 Policy/Firewall Policy -> Create New.
7) This new firewall policy is essentially a clone of the existing firewall policy with flow-based inspection, ssl-certificate-inspection used with Destination as the FQDN that was just created. Refer to the attached screenshot.
Lastly, ensure the newly created FQDN firewall policy is placed on top of the existing firewall policy in the firewall policy sequence.
