Description
SSL deep-inspection is preferred in firewall policies when the data control must be very precise (ie. where Application Control or DLP is used). It is known that deep packet inspection requires more resorces to decrypt the traffic as compared to only certificate inspection, so this option is provided to exempt certain categories from deep scanning, with the main goal to lower the resource usage (memory/CPU). This is not the only reason for exempting categories.
Certain applications may be looking for specific certificates and will break when SSL deep-inspection is enabled. In the default deep-inspection profile, there are two predefined categories in the exempt list: 'Finance and Banking" and "Health and Welness".
Other categories can also be added to the list (older FortiOS versions can only perform this configuration via CLI). Categories are based on the Webfilter categories, so a webfilter license is required, as well as a good connection to the Webfilter rating servers.
Solution
Through the GUI, the option to exempt reputable websites is also available.
Adding additional categories to the exempt list is only one step away.
Clicking on the "+" under "Web categories" will present you the list of categories to chose from. Can either add additional categories, or remove from existing ones (highlighted):
For the CLI setup the approach is similar.
Use this command first to obtain a list of the available categories:
FortiGate # get webfilter categories
g01 Potentially Liable:
1 Drug Abuse
3 Hacking
4 Illegal or Unethical
5 Discrimination
6 Explicit Violence
12 Extremist Groups
59 Proxy Avoidance
.......
To add categories to the exempt list, for example to add "Business" to the default ones 31, 33, we first note down the corresponding number for "Business" from the list above - 49:
FortiGate (custom-deep-insp~ion) # show
config firewall ssl-ssh-profile
(...)
config ssl-exempt
(...)
edit 25
set fortiguard-category 31
next
edit 26
set fortiguard-category 33
next
(...)
end
FortiGate (custom-deep-insp~ion) # config ssl-exempt
FortiGate (ssl-exempt) # edit 0
new entry '0' added
FortiGate (0) # set fortiguard-category 49
FortiGate (0) # end
The result:
FortiGate # show firewall ssl-ssh-profile custom-deep-inspection
(...)
edit 27
set fortiguard-category 49
next
edit 28
set fortiguard-category 31
next
edit 29
set fortiguard-category 33
next
end
next
If the requirement is to only exempt a few sites instead of entire categories, this can be achieved by entering these sites under the 'Addresses' in the same SSL-SSH profile. This operation is achieved easier through GUI. However, managing a large number of addresses can be better done through web filter override categories.