Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Block HTTPS sites by URL
[using FortiGate 100D v5.02]
I setup the WebFilter to block some categories, like Social Networking.
If a user tries to access using HTTP it works fine, blocking the access. But if the user tries using HTTPS, the access is allowed.
I read about the necessity to use SSL Inspection, but if I activate it, i get some errors about certificate.
Then, I found this option inside UTM >> WebFilter:
What does this option ?
With this, I could block URLs access without using HTTPS Inspection ??
In my site, is not necessary Inspection under SSL Content, I just would like to block the access to websites via HTTPS...

- « Previous
-
- 1
- 2
- Next »
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found out a more elegant solution!
1. Create in Firewall Objects -> Address a FQDN record for every site that you have to block
2. [optional] Create a Group that will include all the above records
3. Create a rule in Policy->Policy that will deny the source: all and the destination the group or address in step 1-2, scheduled always with the HTTPS service and put the rule as high as possible
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found out a more elegant solution! 1. Create in Firewall Objects -> Address a FQDN record for every site that you have to block 2. [optional] Create a Group that will include all the above records 3. Create a rule in Policy->Policy that will deny the source: all and the destination the group or address in step 1-2, scheduled always with the HTTPS service and put the rule as high as possible@okidoki99 It doesn' t work for me... Could you give a look at my configs ?? SSL Inspection:






Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is there any way to get rid of that page with the certificate being expired, even on google page?I don' t understand your question much? But when I used SSL inspection feature I encountered certificate error page whenever I browsed to https pages. I tried to import Fortinet_CA_SSLProxy. and I never see the error pages again.
=========>
=========>
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also can block HTTPS pages using SSL Inspection and WebFilter, but I got the same certificate errors.
My company have more than 120 computers.
I think it will not be easy to import Fortinet_CA_SSLProxy for all computers ...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Sazi : if your computers are integrated in Active Directory domain, you can make a GPO to deploy the certificate.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It' s not a good idea block using Firewall Address.
First because some providers, like Google, use the same IP for more than one service. So you will block " youtube.com" and this can block " docs.google.com" too...
Second because most of these services use Akamai CDN, so you will block facebook.com but will block another random site.
The best way to block HTTPS sites are using SSL Inspection. Like this video:
http://www.youtube.com/watch?v=-7OUDfhtc_g
The problem of invalid certificate can be solved using a Active Directory to deploy to all hosts your own certificate, for example.
Regards,
Paulo Raponi
Regards, Paulo Raponi
Regards, Paulo Raponi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It' s not a good idea block using Firewall Address. First because some providers, like Google, use the same IP for more than one service. So you will block " youtube.com" and this can block " docs.google.com" too... Second because most of these services use Akamai CDN, so you will block facebook.com but will block another random site. The best way to block HTTPS sites are using SSL Inspection. Like this video: http://www.youtube.com/watch?v=-7OUDfhtc_g The problem of invalid certificate can be solved using a Active Directory to deploy to all hosts your own certificate, for example. Regards, Paulo RaponiHello Paulo, I also think the better way to block HTTPS is with SSL Inspection, but I' m stuck in certificate' s problem... Is possible to deploy Fortinet_CA_SSLProxy to all computers at my Active Directory without a AD Certification Authority ? Or, doing this can I get problems beacuse the Fortinet_CA_SSLProxy is the same for every Fortigate ? Best regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sazi,
Yes. You can deploy to all AD florest without Certification Authority:
GPO Path (in attach the print screen):
Computer Configuration -> Policies -> Windows Settings - >Security Settings -> Public Key Policies -> Trusted Root Certification Authorities.
Right click and import Fortinet_CA_SSLProxy. As is a Computer GPO, the workstations need be rebooted after apply the GPO.
Yes for your second question. This certificate is the same for all Fortigates in the world. Theoretically it is a security problem. But in " real world" it is very difficult to see an attack of this type. But you can solve this creating you own CA.
Regards, Paulo Raponi
Regards, Paulo Raponi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You' re much better off creating an offline CA with an old box.
I just did this with CentOS and OpenSSL. It' s actually quite easy, and the learning curve isn' t too great.
Also, check out how to configure SSL/TLS inspection using a CA on your Fortigate unit, using the CA you configured a...
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer
to a question rather than a solution to a problem." -
[link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond
Chen[/link]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One issue with Youtube not getting blocked is that CA Certificate for youtube is having CN as *.google.com and *.youtube.com is only an Alias.
I read that Fortigate Blocks HTTPS Sites using CN in certificates, Could it be that due to a generic CN in Youtube' s certificate we can face problems in Blocking.
Google Drive / Google Play is also using *.google.com Certificate hence https versions cannot be blocked.
GMail dosent have this issue that is why its easily blocked.
Any Suggestions.
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D

- « Previous
-
- 1
- 2
- Next »