Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
LanceMc
New Contributor

Created on ‎06-13-2014 05:54 PM

DNS web filtering instead of SSL inspection?

Hi, I want to set up some basic web category filtering for our school. A common problem is that we can block " http://facebook.com" but we can' t block " https://facebook.com" . Is there an easy way to do this without setting up SSL Inspection? I have seen articles about DNS Inspection mode for the web filtering but no doc on how to set it up. Do the clients need to use the Fortigate as their DNS server? Currently we use internal MS dns with forwarding to external (ISP) dns. How would this need to change to use DNS mode? TIA
17244
0 Kudos
11 REPLIES 11
Bromont_FTNT
Staff
Staff

Created on ‎06-19-2014 06:07 AM

What firmware are you running? You can block sites without deep SSL inspection by using the certificate CN and/or SNI
5583
0 Kudos
LanceMc
New Contributor

Created on ‎06-19-2014 03:17 PM

Hi, thanks for your reply. Firmware is v5.0,build3608 (GA Patch 7). Can you send be a link to doc or basic instructions for setting up this blocking filter?
5583
0 Kudos
Dipen
New Contributor III
In response to LanceMc

Created on ‎06-21-2014 08:47 AM

FortiOS 5.0.x has issues with blocking HTTPS sites but FortiOS 5.2 is out, it has got better HTTPS blocking capabilities. In any case you always use Application Control instead of Web Filters to achieve your results.

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
5583
0 Kudos
pcraponi
Contributor II

Created on ‎06-22-2014 02:34 PM

you can follow this doc to block HTTPS without deep scan: http://docs.fortinet.com/d/fortigate-configuring-fortios-v5.0-webfiltering-for-https-scanning-without-ssl-deep-scanning Not work for all websites (youtube, for example) but for facebook works fine. This method block using cert CN... regards, paulo raponi

Regards, Paulo Raponi

Regards, Paulo Raponi
5583
0 Kudos
Dipen
New Contributor III
In response to pcraponi

Created on ‎06-22-2014 11:00 PM

All because of certificates. Mismatch in URL & CN in certificates causes this always . Youtube is a pain because the certificate of YouTube is *.google.com Application Control I s more helpful to block HTTPS.

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
5583
0 Kudos
LanceMc
New Contributor

Created on ‎06-22-2014 04:22 PM

Many thanks for the replies. I have arranged for the OS to be upgraded to 5.2 then we will try the solutions suggested.
5583
0 Kudos
pcraponi
Contributor II

Created on ‎06-22-2014 08:19 PM

5.2 are a very new OS. It have some bugs yet... The best way are you trying with 5.0.7 and if you have NO SUCCESS, you can upgrade to 5.2... I can confirm that 5.0.7 works fine with HTTPS block..

Regards, Paulo Raponi

Regards, Paulo Raponi
5539
0 Kudos
Bromont_FTNT
Staff
Staff

Created on ‎06-23-2014 05:14 AM

Just to be clear... before v5 non deep SSL inspection used only certificate CN thus Google sites could not be differentiated. in v5 inspection via SNI was also added so Youtube etc can be blocked without SSL deep inspection.
5538
0 Kudos
Prab
New Contributor
In response to Bromont_FTNT

Created on ‎07-11-2018 03:55 AM

Hi all,

 

In firmware version 5.6.3, build1547, I tested the Certificate based inspection & I was able to block youtube.com and allow google.com using Web filter only.

 

The following screenshot shows it:

 

I did not get any certificate warnings. The client browser will just see default Error_CONNECTION_CLOSED or The site can't be reached message. It's worth noting that, I did configure my filter to not to display a block page/replacement message.

Hope it helps!

 

Thanks & regards,

Prab :)

2018-07-11_12h45_38.jpg
Preview file
52 KB
5539
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.