Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cfirpo_FTNT
Staff
Staff

Created on ‎01-01-2015 12:45 PM Edited on ‎04-14-2025 11:13 PM By Moderator

Article Id 191170

Technical Tip: Exempting applications/domains/websites from Deep SSL Inspection

Description


This article demonstrates how to exempt certain destinations from Deep SSL inspection. Exempting an application/domain/website in the SSL-SSH profile means that FortiGate will trust that connection and will no longer apply security profiles to the traffic.

 

Scope

 

FortiGate.

 

Solution

 

SSL exemptions can be done for all Reputable websites, by category (trusted Webfilter categories), or with individual domains/addresses:

Note: SSL exemption can only be done with the Inspection Method: Full SSL Inspection.

 

AlexCFTNT_0-1668615171413.png

 

Exempted traffic uses fewer firewall resources since traffic is not inspected further. Exemptions should be used with care to avoid skipping inspections for sensitive traffic.

 

CLI configuration steps (example):
 
  1. Configure the FQDN address to exempt. If the address is a wildcard and should only be available for use SSL exemption, use 'config firewall wildcard-fqdn custom':
 
config firewall address
    edit "test.fortinet.com"
        set type fqdn
        set fqdn "test.fortinet.com"
    next
end
 
config firewall wildcard-fqdn custom
    edit "*.example.com"
        set wildcard-fqdn "*.example.com"
    next
end
 
  1. Add the objects to the exempt list in the SSL-SSH profile:
 
config firewall ssl-ssh-profile
    edit "custom-deep-inspection"
        config ssl-exempt
            edit 0
                set type address
                set address "test.fortinet.com"
            next
            edit 0
                set type wildcard-fqdn
                set wildcard-fqdn "*.example.com"
            next
        end
    next
end

 

GUI configuration steps (example):

  1. Configure the exempted object in Addresses:
                                                                                

1.PNG 

    2. Add the object to the exempt list in the SSL-SSH profile:

2.PNG

 

Note:

If the exempt list contains a wildcard address object/domain, FortiGate will check in the SNI (Server Name Indication) field to compare with the wildcard FQDN, which means that the SSL exempt list does not depend on the DNS resolution.

 

  • When a policy is in flow-based mode + SSL exempt + WF profile + SSL profile (server SNI check enabled). SSL exempt log is generated. Traffic is passed through the SSL inspection. The user is presented with a real-server certificate, even if no DNS traffic was passed through the FortiGate.
  • When a policy is in proxy-based mode + SSL exempt + WF profile + SSL profile (server SNI check enabled). There is no log with SSL exemption generated. Traffic is passed through the SSL inspection. The user is presented with a real-server certificate, even if no DNS traffic was passed through the FortiGate.


The SSL exemption list of FQDN objects behaves differently in flow-based and proxy-based inspection modes, see the article Technical Tip: SSL Exemption based on domain in Proxy-based Inspection.

Related articles:
Technical Tip: SSL exempt for Microsoft Windows Update

Technical Tip: How to configure wildcard-FQDN custom and group

Labels:
34473
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.