Description
This article describes that, occasionally, some applications may require exemption from SSL inspection to function properly, such as Skype. Exempting an application/domain/website in the SSL-SSH profile means that FortiGate will trust that connection and will no longer apply any security profile to the traffic.
Scope
FortiGate.
Solution
It is recommended to configure SSL exemptions through the GUI for ease of use, but this article will cover both the GUI and CLI methods.
Different options are available depending on the version of FortiGate.
SSL exemptions can be done with Reputable websites, by category (trusted Webfilter categories), or with individual domains/addresses:
The more exemptions are added, the fewer resources are needed by the firewall to process the traffic through additional UTM profiles. However, exemptions may represent a potential threat of accessing harmful resources.
CLI configuration steps (example):
- Configure the exempt object in Addresses:
config firewall address
edit "test-fortinet.com"
set type fqdn
set fqdn "*.fortinet.com"
end
- Add the following object to the exempt list in the SSL-SSH profile:
config firewall ssl-ssh-profile
edit "custom-deep-inspection"
config ssl-exempt
edit 0
set type address
set address "test-fortinet.com"
end
Related article:
Technical Tip: SSL exempt for Microsoft Windows Update
