Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jirka1
Contributor III

Created on ‎05-15-2017 06:51 AM

Cloud App

I'm trying to deploy SSL deep inspection. Using AD and GPO, I have distributed the ForiGate_CA_SSL certificate to all stations. Basically everything works, I've set an exception for key domains (banks, our mailserver, etc.). For some reason, however, I do not see these applications in FortiView under the Cloud Application tab. In the log I see that the user accesses these pages (facebook, instagram), in the browser the page identifies the FortiGate certificate, but no other statistics are available in FortiView. The only record I can see there is BingSearch....I tried different browsers and no change. FortiOS 5.6 and FAZ 5.6 beta

 

Is there a way to know if this is a bug or a bad setup?

 

edit "deep-inspection_new"
        set comment "Deep inspection."
        config ssl
            set inspect-all deep-inspection
            set allow-invalid-server-cert enable
        end
        config ssl-exempt
            edit 1
                set type address
                set address "Adobe Login"
            next
            edit 2
                set type address
                set address "Google"
            next
            edit 3
                set type address
                set address "Gotomeeting"
            next
            edit 4
                set type address
                set address "Mozzila"
            next
            edit 5
                set type address
                set address "Windows update 2"
            next
            edit 6
                set type address
                set address "accounts.google.cz"
            next
            edit 7
                set type address
                set address "adobe"
            next
            edit 8
                set type address
                set address "android"
            next
            edit 9
                set type address
                set address "apple"
            next
            edit 10
                set type address
                set address "appstore"
            next
            edit 11
                set type address
                set address "auth.gfx.ms"
            next
            edit 12
                set type address
                set address "autoupdate.opera.com"
            next
            edit 13
                set type address
                set address "citrix"
            next
            edit 14
                set type address
                set address "dropbox.com"
            next
            edit 15
                set type address
                set address "eease"
            next
            edit 16
                set type address
                set address "firefox update server"
            next
            edit 17
                set type address
                set address "fortinet"
            next
            edit 18
                set type address
                set address "google-drive"
            next
            edit 19
                set type address
                set address "google-play"
            next
            edit 20
                set type address
                set address "google-play2"
            next
            edit 21
                set type address
                set address "google-play3"
            next
            edit 22
                set type address
                set address "googleapis.com"
            next
            edit 23
                set type address
                set address "icloud"
            next
            edit 24
                set type address
                set address "itunes"
            next
            edit 25
                set type address
                set address "live.com"
            next
            edit 26
                set type address
                set address "mail.google.com"
            next
            edit 27
                set type address
                set address "microsoft"
            next
            edit 28
                set type address
                set address "skype"
            next
            edit 29
                set type address
                set address "softwareupdate.vmware.com"
            next
            edit 30
                set type address
                set address "swscan.apple.com"
            next
            edit 31
                set type address
                set address "update.microsoft.com"
            next
            edit 32
                set type address
                set address "verisign"
            next
            edit 33
                set fortiguard-category 31
            next
        end
        set ssl-exemptions-log enable
    next

config firewall policy
    edit 2
        set name "LANZAME_NB&PC"
        set uuid b87feaea-149a-51e7-627f-a4eda4155f2f
        set srcintf "30-LANZAME"
        set dstintf "wan1"
        set srcaddr "LANZAME_NB&PC"
        set dstaddr "all"
        set internet-service disable
        set rtp-nat disable
        set learning-mode disable
        set action accept
        set status enable
        set schedule "always"
        set schedule-timeout disable
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set logtraffic-start disable
        set auto-asic-offload enable
        set session-ttl 0
        set vlan-cos-fwd 255
        set vlan-cos-rev 255
        set wccp disable
        set disclaimer disable
        set natip 0.0.0.0 0.0.0.0
        set diffserv-forward disable
        set diffserv-reverse disable
        set tcp-mss-sender 0
        set tcp-mss-receiver 0
        set comments ''
        set block-notification disable
        set replacemsg-override-group ''
        set srcaddr-negate disable
        set dstaddr-negate disable
        set service-negate disable
        set timeout-send-rst disable
        set captive-portal-exempt disable
        set ssl-mirror disable
        set scan-botnet-connections block
        set dsri disable
        set radius-mac-auth-bypass disable
        set delay-tcp-npu-session disable
        set profile-type single
        set av-profile "default"
        set webfilter-profile "LANZAME"
        set dnsfilter-profile ''
        set spamfilter-profile "default"
        set dlp-sensor ''
        set ips-sensor "LANZAME_client"
        set application-list "LANZAME"
        set voip-profile ''
        set icap-profile ''
        set waf-profile ''
        set profile-protocol-options "default"
        set ssl-ssh-profile "deep-inspection_new"
        set traffic-shaper ''
        set traffic-shaper-reverse ''
        set per-ip-shaper ''
        set nat enable
        set permit-any-host disable
        set permit-stun-host disable
        set fixedport disable
        set ippool disable
        set match-vip disable
    next
end

Thank you

Jirka

2539
0 Kudos
0 REPLIES 0
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.