FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
osoleimani
Staff
Staff
Article Id 265497

Description

 

This article describes how SSL exemptions on an SSL deep Inspection profile affect web filtering behavior and how to verify it.

 

Scope

 

FortiGate.

 

Solution

 

Once a web page is accessed, FortiGuard category filtering looks for the category to rate the accessing website using a live service. FortiGate then makes decision based on the received rating information from FortiGuard network.

 

In the following example, the action has been set to 'Block' for all FortiGuard Categories in the web filter profile as below, and a deep inspection profile is bound to the same outbound firewall policy:

 

001-1-Final.jpg

 

Since the CA certificate of FortiGate is already imported to the client’s web browser, the client receives the following replacement message in the browser after accessing the www.fortinet.com website. The web filter log entry below the screenshot of the replacement message is additionally generated.

 

002-1.jpg

 

003-1.jpg

 

Once the '*.fortinet.com' is added to the SSL exemption list, the web filtering behavior is changed.

 

The exemption of the Fortinet website on the SSL deep inspection profile causes FortiGate to consider the Fortinet website trusted and bypasses the existing FortiGuard category checking. Therefore, only an SSL log entry is generated.

 

The following is an example of accessing to www.fortinet.com website after adding the *.fortinet.com wildcard FQDN object to the SSL exemption list of the deep inspection profile:

 

004-1.jpg

 

005-1.jpg

 

006-1.jpg

 

Note:

In flow-based inspection mode, destinations that are 'Exempt from SSL Inspection' within SSL Inspection profile are also exempt from subsequent UTM inspection (covered by this KB article)

 

In proxy-based inspection mode, destinations that are 'Exempt from SSL Inspection' within the SSL Inspection profile are exempt from SSL deep inspection, but subsequent UTM inspection applies. In the context of this article, the website 'www.fortinet.com' will be blocked with SSL exempt if the firewall policy is set to proxy-based inspection mode with a respective proxy-based web filter profile.