FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cfirpo_FTNT
Staff
Staff
Article Id 191170

Description


This article describes that, occasionally, some applications may require exemption from Deep SSL inspection to function properly, such as Skype. Exempting an application/domain/website in the SSL-SSH profile means that FortiGate will trust that connection and will no longer apply any security profile to the traffic.

 

Scope

 

FortiGate.

 

Solution

 

It is recommended to configure SSL exemptions through the GUI for ease of use, but this article will cover both the GUI and CLI methods.

Different options are available depending on the version of FortiGate.

SSL exemptions can be done with Reputable websites, by category (trusted Webfilter categories), or with individual domains/addresses:

Note: SSL exemption can only be done with Inspection Method: Full SSL Inspection

 

AlexCFTNT_0-1668615171413.png

 

The more exemptions are added, the fewer resources are needed by the firewall to process the traffic through additional UTM profiles. However, exemptions may represent a potential threat of accessing harmful resources.

 

CLI configuration steps (example):
 
  1. Configure the exempt object in Addresses:
 
config firewall address
    edit "test-fortinet.com"
        set type fqdn
        set fqdn "*.fortinet.com"
end
 
  1. Add the following object to the exempt list in the SSL-SSH profile:
 
config firewall ssl-ssh-profile
    edit "custom-deep-inspection"
        config ssl-exempt
            edit 0
                set type address
                set address "test-fortinet.com"
end

 

GUI configuration steps (example):

  1. Configure the exempt object in Addresses:
                                                                                

Picture 1.png

 

    2. Add the following object to the exempt list in the SSL-SSH profile:

 

Picture 2.png

 

Note:

If the exempt list contains a wildcard address object/domain, which usually does, DNS traffic should also flow through the FortiGate and can resolve IP addresses under that wildcard domain and exempt specific traffic from the Deep SSL Inspection accordingly.

 

Related article:
Technical Tip: SSL exempt for Microsoft Windows Update