Hi all,
Good day!
The client wants a policy that they can access Facebook but for viewing only. They cannot do Comments, File/Status Upload and Play Videos but they can use Facebook Messenger (App) and Messeger.com (Web). I already achieve the client's requirements but it requires to install the certificate generated from the FortiGate to avoid the Certificate Error. I just wanna confirm if this requirement of the client can achieve without using Deep Packet Inspection on the FortiGate? or is there a firmware version of the Fortigate that can achieve the same result but doesn't require Deep Packet Inspection?
Best regards,
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Kulas,
If Facebook was kind enough to use a unique url for each service like messenger.app.facebook.com, then you might be able to get a basic level of control using certificate inspection only vs deep packet inspection.
Deep inspection is required anytime you want to "see" what your users are using while encrypted.
This is not specific to fortigate - all systems that "inspect" SSL traffic have to do the same.
Are you aware of a product that can inspect SSL/TLS data streams without decoding and re-sign?
You could take the HTTPS traffic and just show the users HTTP and thus not need to re-sign the traffic.
Also if you already have an PKI, you could leverage that with your fotigate - so you don't have to use the certificate that came with your foritgate - but it does need some certificate signing certificate that the end-users computers trust.
The Deep Inspection certificate requires the "keyCertSign" attribute to be set - so I doubt any reputable CertAuthority that is pre-trusted by your OS/Browser will give one out.
-Neil
Kulas,
If Facebook was kind enough to use a unique url for each service like messenger.app.facebook.com, then you might be able to get a basic level of control using certificate inspection only vs deep packet inspection.
Deep inspection is required anytime you want to "see" what your users are using while encrypted.
This is not specific to fortigate - all systems that "inspect" SSL traffic have to do the same.
Are you aware of a product that can inspect SSL/TLS data streams without decoding and re-sign?
You could take the HTTPS traffic and just show the users HTTP and thus not need to re-sign the traffic.
Also if you already have an PKI, you could leverage that with your fotigate - so you don't have to use the certificate that came with your foritgate - but it does need some certificate signing certificate that the end-users computers trust.
The Deep Inspection certificate requires the "keyCertSign" attribute to be set - so I doubt any reputable CertAuthority that is pre-trusted by your OS/Browser will give one out.
-Neil
Per Palo Alto, their firewalls can differentiate between different facebook.com activities. Also on you Fortigate, you can ask your internal users to accept and install the fortigate certificate from their browsers to take care of the issue on signing.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1731 | |
1098 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.