Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Matt_B
Staff & Editor
Staff & Editor

Created on ‎04-14-2025 11:24 PM

Article Id 387569

Technical Tip: SSL Exemption based on FQDN in Proxy-based Inspection

Description This article describes a method to configure domain-based SSL exemptions when using proxy-based inspection.
Scope FortiOS.
Solution

In flow-based inspection, an SSL exemption is domain-based.

An SSL connection is only exempted from further inspection if the SNI matches the domain configured in the FQDN object. If SNI is not available, the CN of the server certificate is used.

 

In proxy-based inspection, SSL exemptions are IP-based by default.

FQDN and wildcard FQDN addresses in the SSL Exemption list are treated as IP addresses: if one SSL connection is exempted, other connections to the same IP address are also exempted, even if they are for a non-exempted domain. This treatment of FQDN addresses is by design and similar to the behavior for firewall policies, see FortiOS v7.6.2 Administration Guide | FQDN addresses.

 

For example, if 'first.example.com' is exempted from deep inspection using an FQDN address configured on the SSL/SSH Inspection profile, and 'first.example.com' resolves to the IP address 203.0.113.113, then SSL connections to other resources at 203.0.113.113 will also be exempted, even if this is not intended.

 

C:\Users\fortinet> nslookup first.example.com
Server: UnKnown
Address: 10.255.255.11

Non-authoritative answer:
Name: first.example.com
Addresses: 198.51.100.100

203.0.113.113

 

C:\Users\fortinet> nslookup second.example.com
Server: UnKnown
Address: 10.255.255.11

Non-authoritative answer:
Name: second.example.com
Addresses: 203.0.113.113

 

To create a domain-based SSL exemption that will exempt 'first.example.com' but not 'second.example.com', configure a Web Rating Override for 'first.example.com' to a custom category, and use the custom category in the SSL/SSH Inspection profile.

 

config webfilter ftgd-local-cat

    edit "ssl_exemptions"

        set id 144 <-- this value must not be in use by another category.

    next

end

 

config webfilter ftgd-local-rating

    edit "first.example.com"

        set rating 144

    next

end

 

config firewall ssl-ssh-profile

    edit "Proxy-based SSL Inspection Profile"

        config ssl-exempt

            edit 0

                set type fortiguard-category

                set fortiguard-category 144

            next

        end

    next

end

 

SSL Exemptions can also be configured using the GUI, see the documentation FortiOS v7.6.2 Administration Guide | Category Override Examples and FortiOS v7.6.2 Administration Guide | Using Local and Remote Categories.
375
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.