- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DLP with HTTPS v5.2.3
I have Fortigate 80c with latest firmware 5.2.3
DLP is configured to block exe files and SSL inspection works fine with Facebook & YouTube; however users are able to download exe files only from HTTPS
FortiGate_80C # diag sys flash list
Partition Image TotalSize(KB) Used(KB) Use% Active
1 FGT80C-5.00-FW-build310-150123 39358 30112 77% No
2 FGT80C-5.02-FW-build670-150318 38733 32743 85% Yes
3 ETDB-25.00162 6966660 177672 3% No
Image build at Mar 18 2015 03:06:12 for b0670
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which SSL inspection profile are you using, certificate-inspection or deep-inspection?
Technical Writer, FortiOS
Let me know if there's anything you want to see added to the FortiGate Cookbook.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Albert,
You may want to enable FULL SSL Inspection to prevent downloading .exe files via HTTPS connections.
" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree, but if I'm not mistaken you can't inspect SSL/encrypted traffic without deep packet inspection enabled. You will need a valid cert from your CA Server or push the Self-signed cert to all your clients via GPO or something.
" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only way for DLP to be applied to HTTPS traffic is to use full SSL inspection, as is done in the deep-inspection profile. We have a recipe on the Fortinet Cookbook about preventing certificate warnings that could help you out once you do use it.
Technical Writer, FortiOS
Let me know if there's anything you want to see added to the FortiGate Cookbook.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I get now but what if I have guest. there should be a simple way rather than install certificate on each computer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AD GPO or if you already have a PKI infrastrukture just generate an CSR with your fortinet an let it sign by your root.
Albert wrote:Ok, I get now but what if I have guest. there should be a simple way rather than install certificate on each computer.
NSE 8
NSE 1 - 7