Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Allwyn_Mascarenhas
Contributor

https blocked with app control and no ssl certificate installed

HI FortiGuys,

 

One of my clients wanted to block fb but without using ssl inspection as he didn't want to install the cert to 100s of his staff computers.

 

I explained that with that there would be no other way to get it done.

 

Then to convince the client I opened a fortinet ticket and got the same response that this can't be done without the ssl inspection and cert installation.

 

Now this guy hired some other service provider and those guys simply blocked social media signatures in app control and applied it to the policy and IT HAS WORKED.

 

It doesn't say "fortiguard blocked" but just keeps the loading icon spinning and fb doesn't load at all.

 

The whole situation is turning so embarrassing.

 

Please tell me if this is a proper workaround? Will this work in the long term? How is this even working, looks like the browser simply doesn't complete the request in some way.

 

Please any explanation here, thanks.

1 Solution
hmtay_FTNT
Staff
Staff

Hello,

 

Let me explain. To block most of the SSL applications, all that is required is certificate-inspection, not necessarily deep-inspection. Deep-inspection allows the Fortigate to identify more specific features of let's say Facebook - like Facebook_Chat and Facebook_Video. If your requirement is simply to block the application entirely, setting Facebook to Block with certificate-inspection is enough. The Fortigate parses the SNI in the SSL session to decide what's the hostname of the session's destination.

 

>>It doesn't say "fortiguard blocked" but just keeps the loading icon spinning and fb doesn't load at all.

 

If a SSL session is blocked without deep-inspection enabled - meaning only certificate-inspection - is used, the Fortigate will not be able to send a replacement message. The replacement message is sent on a "best attempt" basis, meaning there will be some scenarios where the Fortigate cannot send the replacement message without breaking the fundamentals of the HTTP protocol.

 

HoMing

View solution in original post

7 REPLIES 7
Ralph1973
Contributor

I think this is liaised with dns. I work with a customer who I configured application control for. Their HA cluster doesn't have ssl inspection enabled, but facebook still shows up in the application logs. Also when you enable certificate inspection, the certificate domain name is readable. I always assume(d) that the FGT uses the dns entries. But I will follow this thread to know it maybe for sure.

 

Kind regards,

Ralph Willemsen

Arnhem, Netherlands

Allwyn_Mascarenhas

Thanks for the response ralph.

 

fortigate TAC did not even mention this is a way to block https websites and this has created an issue for us now.

 

will this successfully block the sites or is there a chance of them opening up at some point?

Ralph1973

Hello Allwynmasc, I did a quick check and I noticed that most/all(?) applications are recognized (e.g. Skype, Google)

I don't think it will notice subitems , like on on facebook (e.g. chat or video) but I recommend you to test it.

I think it will be succesfully blocked for what I have seen. Please let me know if you find something.

 

Regards,

Ralph Willemsen

Allwyn_Mascarenhas

Thanks.

 

The thing is we simply told the client he will have to install the ssl certificate in all his 100+ machines after which he went to different firm and got this solution without installing the ssl cert.

 

Fortinet should at least put this out there, but they sad part their own TAC is not aware of half the features.

fjulianom

Hi guys,

 

Long time ago about this post, did you get any answer?

I have the same scenario, my FortiGate is recognising and blocking all the https applications (facebook, youtube, etc.) and it is not using deep inspection. How then does FortiGate read the encrypted traffic?

 

Regards,

Julián

hmtay_FTNT
Staff
Staff

Hello,

 

Let me explain. To block most of the SSL applications, all that is required is certificate-inspection, not necessarily deep-inspection. Deep-inspection allows the Fortigate to identify more specific features of let's say Facebook - like Facebook_Chat and Facebook_Video. If your requirement is simply to block the application entirely, setting Facebook to Block with certificate-inspection is enough. The Fortigate parses the SNI in the SSL session to decide what's the hostname of the session's destination.

 

>>It doesn't say "fortiguard blocked" but just keeps the loading icon spinning and fb doesn't load at all.

 

If a SSL session is blocked without deep-inspection enabled - meaning only certificate-inspection - is used, the Fortigate will not be able to send a replacement message. The replacement message is sent on a "best attempt" basis, meaning there will be some scenarios where the Fortigate cannot send the replacement message without breaking the fundamentals of the HTTP protocol.

 

HoMing

fjulianom
New Contributor III

Hi HoMing,

 

It makes much sense. That answers the question of my other post:

 

https://forum.fortinet.com/tm.aspx?m=157911

 

Very well explanation. Thanks for clarifying.

 

Regards,

Julián

Labels
Top Kudoed Authors