You can try 5.0.4 now - this should be better on the memory use

if not using deep scaning in v4 have you tried placing " facebook.com" in the URL filter (block)?

Thanks Fgj - it' ll be a real pain to take the router out of service, and even worse if it doesn' t solve the problem! Faulty - 5.0.4 is OK on memory, and support did some tweaking on ttl and cache settings that helped. but still doesn' t solve the HTTPS Bromont - I have tried deep scanning as well, and it causes constant certificate errors. But I have added the usual suspects (Facebook, Youtube, Ebay, Twitter....) to the URL filtering in the UTM profile, and have even put a Deny policy directly into the router with these sites for both HTTP and HTTPS services. Still gets past.

Here was my work around for v5.0 build0179 (GA Patch 2) In Policy - SSL/SSH Inspection I created a new one by clicking the + sign upper right corner next to the default drop down. By default a new rule has all the ports enabled I just named it Restricted Internet Then in my policy in UTM Security Profiles I selected the Restricted Internet in the SSL/SSH Inspection. EDIT: You must also have the Enable HTTPS URL Scan Only checked in the Web Filter - Profile you are using if you have any actual HTTPS: URLs in the allowed in the URL Filter, otherwise you will get the security certificate errors. I had issues with one of the three firewalls popping up the certificate errors. Are users were trying to get to ADP via HTTPS. Finally figured out the difference and now all three firewalls are working correctly The policy that this is attached to is to allow plant and lunch room PC' s access to only 4 web based URLs Was working in a previous version, happen to read this post and realized it was no longer working. Always nice to find stuff like this that once was working now as creative as some users are were probably accessing facebook. GRrrrrrrr

For some reason I' m not getting the " URL Scan Only" option in the profiles. But I was able to get my box RMA' d because users were also being kicked off an hour after they logged in, and none of the other fixes had done anything. So I got a new 60C, upgraded the FW to 5.0.4, and loaded our config (that supposedly worked fine in Fortinet' s test environment), and no change whatsoever. HTTPS still bypasses the filters, and users are still being challenged again after roughly an hour. My conclusion is it definitely wasn' t a corrupted flash, unless the new box was also corrupted.

OK, having trouble with the screen shot, but maybe this is a little easier to see

Things have changed again.... to do HTTPS scanning using only certificate CN or SNI then you need the SSL/SSH inspection profile turned on in the firewall policy. To do SSL deep inspection (man-in-the-middle) you need both SSL/SSH inspection in the firewall policy and " scan encrypted connections" in the webfilter profile.

But then we run into Ceritifcate errors whenever someone tries to validly connect to HTTPS sites.

With SSL/SSH inspection on the firewal policy and " scan encrypted connections" unchecked you should still be able to inspect most sites via cert CN/SNI... if the site is blocked then you get the certificate warning as the Fortigate must generate blocked page message over HTTPS using its own certificate. What sites are not being caught?