Description
This article describes that SSL deep-inspection is preferred in firewall policies when the data control must be very precise (ie. where Application Control or DLP is used). It is known that deep packet inspection requires more resources to decrypt the traffic as compared to only certificate inspection, so this option is provided to exempt certain categories from deep scanning, with the main goal of lowering resource usage (memory/CPU). This is not the only reason for exempting categories.
Certain applications may be looking for specific certificates and will break when SSL deep-inspection is enabled. In the default deep-inspection profile, there are two predefined categories in the exempt list: 'Finance and Banking' and 'Health and Wellness'.
Other categories can also be added to the list (older FortiOS versions can only perform this configuration via CLI). Categories are based on the Webfilter categories, so a Webfilter license is required, as well as a good connection to the Webfilter rating servers.
Scope
FortiGate.
Solution
Through the GUI, the option to exempt reputable websites is also available.
Adding additional categories to the exempt list is only one step away.
Selecting the '+' under 'Web categories' will present the list of categories to choose from. Can either add additional categories, or remove from existing ones (highlighted):
For the CLI setup, the approach is similar.
Use this command first to obtain a list of the available categories:
FortiGate # get webfilter categories
g01 Potentially Liable:
1 Drug Abuse
3 Hacking
4 Illegal or Unethical
5 Discrimination
6 Explicit Violence
12 Extremist Groups
59 Proxy Avoidance
To add categories to the exempt list, for example, to add 'Business' to the default ones 31, 33, first note down the corresponding number for 'Business' from the list above - 49:
FortiGate (custom-deep-insp~ion) # show
config firewall ssl-ssh-profile
config firewall ssl-ssh-profile
(...)
config ssl-exempt
(...)
edit 25
set fortiguard-category 31
next
edit 26
set fortiguard-category 33
next
(...)
end
FortiGate (custom-deep-insp~ion) # config ssl-exempt
FortiGate (ssl-exempt) # edit 0
new entry '0' added
FortiGate (0) # set fortiguard-category 49
FortiGate (0) # end
The result:
FortiGate # show firewall ssl-ssh-profile custom-deep-inspection
(...)
edit 27
set fortiguard-category 49
next
edit 28
set fortiguard-category 31
next
edit 29
set fortiguard-category 33
next
end
next
If the requirement is to only exempt a few sites instead of entire categories, this can be achieved by entering these sites under the 'Addresses' in the same SSL-SSH profile. This operation is achieved more easily through a GUI. However, managing a large number of addresses can be better done through web filter override categories.
Note:
The 'Exempt from SSL Inspection' option is only available when the inspection method is set to 'Full SSL Inspection' under the SSL/SSH Inspection Profile.
Related article:
Technical Tip: Exempting applications/domains/websites from Deep SSL Inspection
Related article:
Technical Tip: Exempting applications/domains/websites from Deep SSL Inspection
