Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lmateus
Staff
Staff

Created on ‎12-11-2013 08:07 AM Edited on ‎04-02-2025 10:04 PM By Community Manager

Article Id 197546

Technical Tip: HTTPS Web Filtering supported without requiring SSL Deep Inspection (Legacy FortiOS 5.0+)

Description

 

This article describes the historical introduction of certificate-inspection support for Web Filtering on the FortiGate.

 

Scope

 

FortiGate v5.0 and later.

 

Solution

 

In early FortiOS versions (5.0.2 and earlier), Web Filtering was only supported when used with SSL/TLS deep-inspection (i.e. machine-in-the-middle). This was required to scan the HTTP Host and request-target/path that was present in the TLS-encrypted HTTP payload.

 

As of v5.0.3, the Web Filter feature supports URL filtering of HTTPS traffic using certificate-inspection (i.e. SSL deep scan/inspection is no longer mandatory). With this feature improvement, FortiOS will now check the Server Name Indication (SNI) that is present in the TLS Client Hello, as well as the Common Name found in the Subject field of the server's certificate.

With the above in mind, URL filtering for HTTP/HTTPS sessions will proceed as follows:

  1. If the traffic is unencrypted HTTP, or if SSL deep scan/inspection is enabled, then FortiOS will check the HTTP Host and path fields of the HTTP request.
  2. If SSL deep inspection is not enabled then the FortiGate will scan the Server Name Indication in the TLS Client Hello message (part of the TLS handshake).
  3. If a valid hostname is found then it will be used for local URL filtering and FortiGuard Category filtering.
  4. If a valid SNI is not found then FortiOS will scan the Common Name as implemented in previous versions.


When configured for certificate-inspection, the real HTTPS server certificate will be presented to the client for allowed URLs (i.e. no machine-in-the-middle or certificate replacement). The FortiGate certificate will still be presented in the blocked page replacement message.

If the block-invalid-hostname option is enabled in the Web Filter profile then any invalid hostnames found in the TLS Client Hello's Server Name Indication field will result in the request being blocked and logged (certificate inspection mode only).

 

Related documents:

Technical Tip: Differences between SSL Certificate Inspection and Full SSL Inspection

FortiOS Admin Guide - SSL & SSH Inspection

23806
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.