Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jft3166
New Contributor

Created on ‎05-03-2017 12:50 AM

How to block https sites whitout ssl inspection

Hi everybody,

I have a fortigate 800C in 5.4 version.

I want to block HTTPS sites with the webfilter, but in my business we can't use ssl inpesction, it's fordibiden in relation to the law in France...

Do you know how I can block https sites whitout ssl inspection ?

I know the solution with a DNS server to redirect domains to a specific page or the solution to block the IP but it's too boring and not completely efficient.

Thanks for your answers.

best regard.

jft

Labels:
58964
0 Kudos
13 REPLIES 13
Yurisk
SuperUser
SuperUser
In response to snobs

Created on ‎01-11-2019 03:23 AM

It cannot change with 6.0 as SSL inspection is about SSL more than it is about Forti or any other vendor actually.

But between "Deep Inspection" and No Inspection there is a middle step - Certificate Inspection, have you tried it?

The difference is that Forti looks at the certificate SNI values to understand what is the host a user is trying to reach, WITHOUT looking into packet contents. So it does not intercept/proxy SSL connection as Deep Inspection does and accordingly will not cause browsers to display Ceritficate Error message.

 

And as kind of alternative (kind of as can be easily bypassed by a user) is DNS filtering which blocks not http/https requests to sites but DNS RESOLVING of those sites. It btw requires licensing and as I said can be circumvented by a prepared user.

 

Yuri Slobodyanyuk
Yuri Slobodyanyuk
1884
0 Kudos
Dave_Hall
Honored Contributor
In response to Yurisk

Created on ‎01-11-2019 08:03 AM

@snobs

 

Certificate inspection in this case is likely your only option unless you want to craft a firewall policy rule that blocks the FQDN or static IP for that site  - such a firewall policy will need to be moved above any general web traffic firewall rule so it can be triggered.  pipeslocks.com looks to be a good example of a site to block (if the page title is anything to go on). 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
pipeslocks.com.jpg
Preview file
129 KB
1884
0 Kudos
snobs
New Contributor II
In response to Dave_Hall

Created on ‎01-11-2019 03:23 PM

@Dave and Yurisk: Thank you

 

certificate inspection ist also enabled for the policy but nothing happens: "https" resolves without any problem, for http I get the warning homepage from the Fortinet. Is there any global setting I have to set?

1884
0 Kudos
Dave_Hall
Honored Contributor
In response to snobs

Created on ‎01-14-2019 08:27 AM

Have you enabled/configured a proxy option profile and added it to the firewall policy? Has this policy been moved up in the firewall chain before any general (web) firewall rules?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
1884
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.