Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sazi
New Contributor

Created on ‎04-12-2013 07:43 AM

Block HTTPS sites by URL

[using FortiGate 100D v5.02] I setup the WebFilter to block some categories, like Social Networking. If a user tries to access using HTTP it works fine, blocking the access. But if the user tries using HTTPS, the access is allowed. I read about the necessity to use SSL Inspection, but if I activate it, i get some errors about certificate. Then, I found this option inside UTM >> WebFilter: What does this option ? With this, I could block URLs access without using HTTPS Inspection ?? In my site, is not necessary Inspection under SSL Content, I just would like to block the access to websites via HTTPS...
21357
0 Kudos
19 REPLIES 19
okidoki99
New Contributor

Created on ‎04-26-2013 06:37 AM

I found out a more elegant solution! 1. Create in Firewall Objects -> Address a FQDN record for every site that you have to block 2. [optional] Create a Group that will include all the above records 3. Create a rule in Policy->Policy that will deny the source: all and the destination the group or address in step 1-2, scheduled always with the HTTPS service and put the rule as high as possible
2982
0 Kudos
sazi
New Contributor
In response to okidoki99

Created on ‎05-07-2013 10:53 AM

I found out a more elegant solution! 1. Create in Firewall Objects -> Address a FQDN record for every site that you have to block 2. [optional] Create a Group that will include all the above records 3. Create a rule in Policy->Policy that will deny the source: all and the destination the group or address in step 1-2, scheduled always with the HTTPS service and put the rule as high as possible
@okidoki99 It doesn' t work for me... Could you give a look at my configs ?? SSL Inspection: Policy: AddressObjects: WebFilter: PS: I tried with facebook and Google urls...
2982
0 Kudos
networkingkool
New Contributor

Created on ‎05-03-2013 03:12 AM

is there any way to get rid of that page with the certificate being expired, even on google page?
I don' t understand your question much? But when I used SSL inspection feature I encountered certificate error page whenever I browsed to https pages. I tried to import Fortinet_CA_SSLProxy. and I never see the error pages again.
=========>
=========>
2982
0 Kudos
sazi
New Contributor
In response to networkingkool

Created on ‎05-07-2013 09:40 AM

I also can block HTTPS pages using SSL Inspection and WebFilter, but I got the same certificate errors. My company have more than 120 computers. I think it will not be easy to import Fortinet_CA_SSLProxy for all computers ...
2982
0 Kudos
Heodrene
New Contributor
In response to sazi

Created on ‎05-07-2013 09:45 AM

@Sazi : if your computers are integrated in Active Directory domain, you can make a GPO to deploy the certificate.
2982
0 Kudos
pcraponi
Contributor II

Created on ‎05-08-2013 09:54 AM

It' s not a good idea block using Firewall Address. First because some providers, like Google, use the same IP for more than one service. So you will block " youtube.com" and this can block " docs.google.com" too... Second because most of these services use Akamai CDN, so you will block facebook.com but will block another random site. The best way to block HTTPS sites are using SSL Inspection. Like this video: http://www.youtube.com/watch?v=-7OUDfhtc_g The problem of invalid certificate can be solved using a Active Directory to deploy to all hosts your own certificate, for example. Regards, Paulo Raponi

Regards, Paulo Raponi

Regards, Paulo Raponi
2982
0 Kudos
sazi
New Contributor
In response to pcraponi

Created on ‎05-08-2013 12:07 PM

It' s not a good idea block using Firewall Address. First because some providers, like Google, use the same IP for more than one service. So you will block " youtube.com" and this can block " docs.google.com" too... Second because most of these services use Akamai CDN, so you will block facebook.com but will block another random site. The best way to block HTTPS sites are using SSL Inspection. Like this video: http://www.youtube.com/watch?v=-7OUDfhtc_g The problem of invalid certificate can be solved using a Active Directory to deploy to all hosts your own certificate, for example. Regards, Paulo Raponi
Hello Paulo, I also think the better way to block HTTPS is with SSL Inspection, but I' m stuck in certificate' s problem... Is possible to deploy Fortinet_CA_SSLProxy to all computers at my Active Directory without a AD Certification Authority ? Or, doing this can I get problems beacuse the Fortinet_CA_SSLProxy is the same for every Fortigate ? Best regards,
2982
0 Kudos
pcraponi
Contributor II

Created on ‎05-08-2013 01:44 PM

sazi, Yes. You can deploy to all AD florest without Certification Authority: GPO Path (in attach the print screen): Computer Configuration -> Policies -> Windows Settings - >Security Settings -> Public Key Policies -> Trusted Root Certification Authorities. Right click and import Fortinet_CA_SSLProxy. As is a Computer GPO, the workstations need be rebooted after apply the GPO. Yes for your second question. This certificate is the same for all Fortigates in the world. Theoretically it is a security problem. But in " real world" it is very difficult to see an attack of this type. But you can solve this creating you own CA.

Regards, Paulo Raponi

Regards, Paulo Raponi
Preview file
158 KB
2982
0 Kudos
mbrowndcm
New Contributor III

Created on ‎05-30-2013 11:10 AM

You' re much better off creating an offline CA with an old box. I just did this with CentOS and OpenSSL. It' s actually quite easy, and the learning curve isn' t too great. Also, check out how to configure SSL/TLS inspection using a CA on your Fortigate unit, using the CA you configured a...
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
2982
0 Kudos
Dipen
New Contributor III

Created on ‎08-04-2013 04:02 AM

One issue with Youtube not getting blocked is that CA Certificate for youtube is having CN as *.google.com and *.youtube.com is only an Alias. I read that Fortigate Blocks HTTPS Sites using CN in certificates, Could it be that due to a generic CN in Youtube' s certificate we can face problems in Blocking. Google Drive / Google Play is also using *.google.com Certificate hence https versions cannot be blocked. GMail dosent have this issue that is why its easily blocked. Any Suggestions.

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
2982
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.