Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cfirpo_FTNT
Staff
Staff

Created on ‎01-01-2015 12:45 PM Edited on ‎02-06-2025 06:29 AM By Moderator

Article Id 191170

Technical Tip: Exempting applications/domains/websites from Deep SSL Inspection

Description


This article describes that, occasionally, some applications may require exemption from Deep SSL inspection to function properly, such as Skype. Exempting an application/domain/website in the SSL-SSH profile means that FortiGate will trust that connection and will no longer apply any security profile to the traffic.

 

Scope

 

FortiGate.

 

Solution

 

It is recommended to configure SSL exemptions through the GUI for ease of use, but this article will cover both the GUI and CLI methods.

Different options are available depending on the version of FortiGate.

SSL exemptions can be done with Reputable websites, by category (trusted Webfilter categories), or with individual domains/addresses:

Note: SSL exemption can only be done with the Inspection Method: Full SSL Inspection.

 

AlexCFTNT_0-1668615171413.png

 

The more exemptions are added, the fewer resources are needed by the firewall to process the traffic through additional UTM profiles. However, exemptions may represent a potential threat of accessing harmful resources.

 

CLI configuration steps (example):
 
  1. Configure the exempt object in Addresses:
 
config firewall address
    edit "test-fortinet.com"
        set type fqdn
        set fqdn "*.fortinet.com"
end
 
  1. Add the following object to the exempt list in the SSL-SSH profile:
 
config firewall ssl-ssh-profile
    edit "custom-deep-inspection"
        config ssl-exempt
            edit 0
                set type address
                set address "test-fortinet.com"
end

 

GUI configuration steps (example):

  1. Configure the exempt object in Addresses:
                                                                                

Picture 1.png

 

    2. Add the following object to the exempt list in the SSL-SSH profile:

 

Picture 2.png

 

Note:

If the exempt list contains a wildcard address object/domain, FortiGate will check in the SNI (Server Name Indication) field to compare with the wildcard FQDN, which means that the SSL exempt list does not depend on the DNS resolution.

 

  • When a policy is in flow-based mode + SSL exempt + WF profile + SSL profile (server SNI check enabled). SSL exempt log is generated. Traffic is passed through the SSL inspection. The user is presented with a real-server certificate, even if no DNS traffic was passed through the FortiGate.
  • When a policy is in proxy-based mode + SSL exempt + WF profile + SSL profile (server SNI check enabled). There is no log with SSL exemption generated. Traffic is passed through the SSL inspection. The user is presented with a real-server certificate, even if no DNS traffic was passed through the FortiGate.

 

Related article:
Technical Tip: SSL exempt for Microsoft Windows Update

Labels:
32826
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.