Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
metz_FTNT
Staff
Staff

Created on ‎02-27-2023 04:53 AM Edited on ‎01-19-2025 11:21 PM By Community Manager

Article Id 247356

Technical Tip: 'certificate-inspection' and 'deep-inspection' for URL filtering

Description This article describes 'ssl-inspection' usage for URL Web filter.
Scope

FortiGate.
Solution

For plain text HTTP, traffic HTTP request is not encrypted.

Therefore 'ssl-inspection profile' is not mandatory and FortiGate can identify the full request URL http://example.com/index:

 

metz_FTNT_0-1677501314963.png

 

For HTTPS, however, the HTTP request is encrypted and it is usually the first application data packet from the client.

If only 'certificate-inspection' is used, the FortiGate cannot see the full request URL and can only identify the domain name in the SNI field of the client hello:

 

metz_FTNT_1-1677501599183.png

 

As shown in the picture, 'example.com' can be identified, but not the '/index' part.

Therefore in the case, for instance, to block:

'www.example.com/index" but allow "www.example.com/xxxx' this would not be possible.

It is only possible to apply rules based on the domain name but not URI.'

 

To view the complete URL path, particularly for encrypted HTTPS traffic, enabling deep inspection is necessary. Without deep inspection, only the domain name can be identified, not the entire URL path.
4170
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.