Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jft3166
New Contributor

How to block https sites whitout ssl inspection

Hi everybody,

I have a fortigate 800C in 5.4 version.

I want to block HTTPS sites with the webfilter, but in my business we can't use ssl inpesction, it's fordibiden in relation to the law in France...

Do you know how I can block https sites whitout ssl inspection ?

I know the solution with a DNS server to redirect domains to a specific page or the solution to block the IP but it's too boring and not completely efficient.

Thanks for your answers.

best regard.

jft

13 REPLIES 13
Yurisk

It cannot change with 6.0 as SSL inspection is about SSL more than it is about Forti or any other vendor actually.

But between "Deep Inspection" and No Inspection there is a middle step - Certificate Inspection, have you tried it?

The difference is that Forti looks at the certificate SNI values to understand what is the host a user is trying to reach, WITHOUT looking into packet contents. So it does not intercept/proxy SSL connection as Deep Inspection does and accordingly will not cause browsers to display Ceritficate Error message.

 

And as kind of alternative (kind of as can be easily bypassed by a user) is DNS filtering which blocks not http/https requests to sites but DNS RESOLVING of those sites. It btw requires licensing and as I said can be circumvented by a prepared user.

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Dave_Hall
Honored Contributor

@snobs

 

Certificate inspection in this case is likely your only option unless you want to craft a firewall policy rule that blocks the FQDN or static IP for that site  - such a firewall policy will need to be moved above any general web traffic firewall rule so it can be triggered.  pipeslocks.com looks to be a good example of a site to block (if the page title is anything to go on). 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
snobs
New Contributor II

@Dave and Yurisk: Thank you

 

certificate inspection ist also enabled for the policy but nothing happens: "https" resolves without any problem, for http I get the warning homepage from the Fortinet. Is there any global setting I have to set?

Dave_Hall
Honored Contributor

Have you enabled/configured a proxy option profile and added it to the firewall policy? Has this policy been moved up in the firewall chain before any general (web) firewall rules?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors