I'm trying to deploy SSL deep inspection. Using AD and GPO, I have distributed the ForiGate_CA_SSL certificate to all stations. Basically everything works, I've set an exception for key domains (banks, our mailserver, etc.). For some reason, however, I do not see these applications in FortiView under the Cloud Application tab. In the log I see that the user accesses these pages (facebook, instagram), in the browser the page identifies the FortiGate certificate, but no other statistics are available in FortiView. The only record I can see there is BingSearch....I tried different browsers and no change. FortiOS 5.6 and FAZ 5.6 beta
Is there a way to know if this is a bug or a bad setup?
edit "deep-inspection_new"
set comment "Deep inspection."
config ssl
set inspect-all deep-inspection
set allow-invalid-server-cert enable
end
config ssl-exempt
edit 1
set type address
set address "Adobe Login"
next
edit 2
set type address
set address "Google"
next
edit 3
set type address
set address "Gotomeeting"
next
edit 4
set type address
set address "Mozzila"
next
edit 5
set type address
set address "Windows update 2"
next
edit 6
set type address
set address "accounts.google.cz"
next
edit 7
set type address
set address "adobe"
next
edit 8
set type address
set address "android"
next
edit 9
set type address
set address "apple"
next
edit 10
set type address
set address "appstore"
next
edit 11
set type address
set address "auth.gfx.ms"
next
edit 12
set type address
set address "autoupdate.opera.com"
next
edit 13
set type address
set address "citrix"
next
edit 14
set type address
set address "dropbox.com"
next
edit 15
set type address
set address "eease"
next
edit 16
set type address
set address "firefox update server"
next
edit 17
set type address
set address "fortinet"
next
edit 18
set type address
set address "google-drive"
next
edit 19
set type address
set address "google-play"
next
edit 20
set type address
set address "google-play2"
next
edit 21
set type address
set address "google-play3"
next
edit 22
set type address
set address "googleapis.com"
next
edit 23
set type address
set address "icloud"
next
edit 24
set type address
set address "itunes"
next
edit 25
set type address
set address "live.com"
next
edit 26
set type address
set address "mail.google.com"
next
edit 27
set type address
set address "microsoft"
next
edit 28
set type address
set address "skype"
next
edit 29
set type address
set address "softwareupdate.vmware.com"
next
edit 30
set type address
set address "swscan.apple.com"
next
edit 31
set type address
set address "update.microsoft.com"
next
edit 32
set type address
set address "verisign"
next
edit 33
set fortiguard-category 31
next
end
set ssl-exemptions-log enable
next
config firewall policy
edit 2
set name "LANZAME_NB&PC"
set uuid b87feaea-149a-51e7-627f-a4eda4155f2f
set srcintf "30-LANZAME"
set dstintf "wan1"
set srcaddr "LANZAME_NB&PC"
set dstaddr "all"
set internet-service disable
set rtp-nat disable
set learning-mode disable
set action accept
set status enable
set schedule "always"
set schedule-timeout disable
set service "ALL"
set utm-status enable
set logtraffic all
set logtraffic-start disable
set auto-asic-offload enable
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set wccp disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set block-notification disable
set replacemsg-override-group ''
set srcaddr-negate disable
set dstaddr-negate disable
set service-negate disable
set timeout-send-rst disable
set captive-portal-exempt disable
set ssl-mirror disable
set scan-botnet-connections block
set dsri disable
set radius-mac-auth-bypass disable
set delay-tcp-npu-session disable
set profile-type single
set av-profile "default"
set webfilter-profile "LANZAME"
set dnsfilter-profile ''
set spamfilter-profile "default"
set dlp-sensor ''
set ips-sensor "LANZAME_client"
set application-list "LANZAME"
set voip-profile ''
set icap-profile ''
set waf-profile ''
set profile-protocol-options "default"
set ssl-ssh-profile "deep-inspection_new"
set traffic-shaper ''
set traffic-shaper-reverse ''
set per-ip-shaper ''
set nat enable
set permit-any-host disable
set permit-stun-host disable
set fixedport disable
set ippool disable
set match-vip disable
next
end
Thank you
Jirka
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.