Technical Tip: Restricted SaaS Access (0365, G-Suite, Dropbox) or web-proxy profile not working as expected on FortiGate.

pkavin · ‎04-05-2022

Description

This article describes an issue with the web-proxy profile not working as expected when created on FortiGate.

Scope

FortiOS 6.2 and later.

Solution

FortiGate has the feature of using a web-proxy profile for tenant restriction and other tasks as needed in an environment.

Refer to the following document for further information on the web-proxy profile configuration:

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/480209/restricted-saas-access-0365-g...

Sometimes, the web-proxy profile would not work even when configured on the firewall policy with the appropriate web-proxy profile.

The following configuration could be applied on the FortiGate to fix the issue:

# config firewall ssl-ssh-profile

edit <Name of the Profile> <----- Replace it with the appropriate name.

# config ssl

set inspect-all disable

end

Also, appropriate websites should not be exempted from the SSL/SSH profile for Deep Packet Inspection.

When inspect-all is enabled, only configuration under 'config web-proxy global' will be looked at by the FortiGate, so settings under the option would only be considered.

Thus, disable inspect-all if FortiGate has to consider the settings under 'config web-proxy profile'.

Technical Tip: Restricted SaaS Access (0365, G-Suite, Dropbox) or web-proxy profile not working as expected on FortiGate.

You are leaving our website