Created on ‎01-01-2015 12:45 PM Edited on ‎12-11-2024 03:32 AM By Anthony_E
Description
This article describes that, occasionally, some applications may require exemption from Deep SSL inspection to function properly, such as Skype. Exempting an application/domain/website in the SSL-SSH profile means that FortiGate will trust that connection and will no longer apply any security profile to the traffic.
Scope
FortiGate.
Solution
It is recommended to configure SSL exemptions through the GUI for ease of use, but this article will cover both the GUI and CLI methods.
Different options are available depending on the version of FortiGate.
SSL exemptions can be done with Reputable websites, by category (trusted Webfilter categories), or with individual domains/addresses:
Note: SSL exemption can only be done with Inspection Method: Full SSL Inspection
The more exemptions are added, the fewer resources are needed by the firewall to process the traffic through additional UTM profiles. However, exemptions may represent a potential threat of accessing harmful resources.
GUI configuration steps (example):
2. Add the following object to the exempt list in the SSL-SSH profile:
Note:
If the exempt list contains a wildcard address object/domain, which usually does, DNS traffic should also flow through the FortiGate and can resolve IP addresses under that wildcard domain and exempt specific traffic from the Deep SSL Inspection accordingly.
Related article:
Technical Tip: SSL exempt for Microsoft Windows Update
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.