I have Fortigate 80c with latest firmware 5.2.3
DLP is configured to block exe files and SSL inspection works fine with Facebook & YouTube; however users are able to download exe files only from HTTPS
FortiGate_80C # diag sys flash list
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FGT80C-5.00-FW-build310-150123 39358 30112 77% No
2 FGT80C-5.02-FW-build670-150318 38733 32743 85% Yes
3 ETDB-25.00162 6966660 177672 3% No
Image build at Mar 18 2015 03:06:12 for b0670
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Which SSL inspection profile are you using, certificate-inspection or deep-inspection?
Technical Writer, FortiOS
Let me know if there's anything you want to see added to the FortiGate Cookbook.
Albert,
You may want to enable FULL SSL Inspection to prevent downloading .exe files via HTTPS connections.
" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds
I agree, but if I'm not mistaken you can't inspect SSL/encrypted traffic without deep packet inspection enabled. You will need a valid cert from your CA Server or push the Self-signed cert to all your clients via GPO or something.
" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds
The only way for DLP to be applied to HTTPS traffic is to use full SSL inspection, as is done in the deep-inspection profile. We have a recipe on the Fortinet Cookbook about preventing certificate warnings that could help you out once you do use it.
Technical Writer, FortiOS
Let me know if there's anything you want to see added to the FortiGate Cookbook.
Ok, I get now but what if I have guest. there should be a simple way rather than install certificate on each computer.
AD GPO or if you already have a PKI infrastrukture just generate an CSR with your fortinet an let it sign by your root.
Albert wrote:Ok, I get now but what if I have guest. there should be a simple way rather than install certificate on each computer.
NSE 8
NSE 1 - 7
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1646 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.