| Description | This article describes 'ssl-inspection' usage for URL Web filter. |
| Scope |
FortiGate. |
| Solution |
For plain text HTTP, traffic HTTP request is not encrypted. Therefore 'ssl-inspection profile' is not mandatory and FortiGate can identify the full request URL http://example.com/index:
For HTTPS, however, the HTTP request is encrypted, and it is usually the first application data packet from the client. If only 'certificate-inspection' is used, the FortiGate cannot see the full request URL and can only identify the domain name in the SNI field of the client hello:
As shown in the picture, 'example.com' can be identified, but not the '/index' part. Therefore, in the case, for instance, to block: 'www.example.com/index' but allow 'www.example.com/xxxx', this would not be possible. It is only possible to apply rules based on the domain name, but not the URI.'
To view the complete URL path, particularly for encrypted HTTPS traffic, enabling deep inspection is necessary. Without deep inspection, only the domain name can be identified, not the entire URL path.
The inspection mode is applied per firewall policy, not directly in the URL filter. To enable 'certificate-inspection' or 'deep-inspection' from the CLI:
For deep-inspection:
For certificate-inspection:
|
