Albert
New Contributor

DLP with HTTPS v5.2.3

I have Fortigate 80c with latest firmware 5.2.3

DLP is configured to block exe files and SSL inspection works fine with Facebook & YouTube; however users are able to download exe files only from HTTPS

 

FortiGate_80C # diag sys flash list

Partition  Image                                     TotalSize(KB)  Used(KB)  Use%  Active

1          FGT80C-5.00-FW-build310-150123                    39358     30112   77%  No   

2          FGT80C-5.02-FW-build670-150318                    38733     32743   85%  Yes  

3          ETDB-25.00162                                   6966660    177672    3%  No   

Image build at Mar 18 2015 03:06:12 for b0670

 

 

 

8 REPLIES 8
vmartin_FTNT
Staff
Staff

Which SSL inspection profile are you using, certificate-inspection or deep-inspection?

Technical Writer, FortiOS

Let me know if there's anything you want to see added to the FortiGate Cookbook.

Albert
New Contributor

certificate-inspection

 SSL Certificate Inspection 
Camshaft007
New Contributor

Albert,

You may want to enable FULL SSL Inspection to prevent downloading .exe files via HTTPS connections.

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds

Albert
New Contributor

If I did that users will see warning on all links. 

Camshaft007
New Contributor

I agree, but if I'm not mistaken you can't inspect SSL/encrypted traffic without deep packet inspection enabled.  You will need a valid cert from your CA Server or push the Self-signed cert to all your clients via GPO or something.

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds

vmartin_FTNT
Staff
Staff

The only way for DLP to be applied to HTTPS traffic is to use full SSL inspection, as is done in the deep-inspection profile. We have a recipe on the Fortinet Cookbook about preventing certificate warnings that could help you out once you do use it.

Technical Writer, FortiOS

Let me know if there's anything you want to see added to the FortiGate Cookbook.

Albert
New Contributor

Ok, I get now but what if I have guest. there should be a simple way rather than install certificate on each computer.

Holy

AD GPO or if you already have a PKI infrastrukture just generate an CSR with your fortinet an let it sign by your root.

 

Albert wrote:

Ok, I get now but what if I have guest. there should be a simple way rather than install certificate on each computer.

NSE 8 

NSE 1 - 7