Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I found out a more elegant solution! 1. Create in Firewall Objects -> Address a FQDN record for every site that you have to block 2. [optional] Create a Group that will include all the above records 3. Create a rule in Policy->Policy that will deny the source: all and the destination the group or address in step 1-2, scheduled always with the HTTPS service and put the rule as high as possible@okidoki99 It doesn' t work for me... Could you give a look at my configs ?? SSL Inspection: Policy: AddressObjects: WebFilter: PS: I tried with facebook and Google urls...
is there any way to get rid of that page with the certificate being expired, even on google page?I don' t understand your question much? But when I used SSL inspection feature I encountered certificate error page whenever I browsed to https pages. I tried to import Fortinet_CA_SSLProxy. and I never see the error pages again.
Regards, Paulo Raponi
It' s not a good idea block using Firewall Address. First because some providers, like Google, use the same IP for more than one service. So you will block " youtube.com" and this can block " docs.google.com" too... Second because most of these services use Akamai CDN, so you will block facebook.com but will block another random site. The best way to block HTTPS sites are using SSL Inspection. Like this video: http://www.youtube.com/watch?v=-7OUDfhtc_g The problem of invalid certificate can be solved using a Active Directory to deploy to all hosts your own certificate, for example. Regards, Paulo RaponiHello Paulo, I also think the better way to block HTTPS is with SSL Inspection, but I' m stuck in certificate' s problem... Is possible to deploy Fortinet_CA_SSLProxy to all computers at my Active Directory without a AD Certification Authority ? Or, doing this can I get problems beacuse the Fortinet_CA_SSLProxy is the same for every Fortigate ? Best regards,
Regards, Paulo Raponi
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.