Hi everybody,
I have a fortigate 800C in 5.4 version.
I want to block HTTPS sites with the webfilter, but in my business we can't use ssl inpesction, it's fordibiden in relation to the law in France...
Do you know how I can block https sites whitout ssl inspection ?
I know the solution with a DNS server to redirect domains to a specific page or the solution to block the IP but it's too boring and not completely efficient.
Thanks for your answers.
best regard.
jft
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It cannot change with 6.0 as SSL inspection is about SSL more than it is about Forti or any other vendor actually.
But between "Deep Inspection" and No Inspection there is a middle step - Certificate Inspection, have you tried it?
The difference is that Forti looks at the certificate SNI values to understand what is the host a user is trying to reach, WITHOUT looking into packet contents. So it does not intercept/proxy SSL connection as Deep Inspection does and accordingly will not cause browsers to display Ceritficate Error message.
And as kind of alternative (kind of as can be easily bypassed by a user) is DNS filtering which blocks not http/https requests to sites but DNS RESOLVING of those sites. It btw requires licensing and as I said can be circumvented by a prepared user.
Certificate inspection in this case is likely your only option unless you want to craft a firewall policy rule that blocks the FQDN or static IP for that site - such a firewall policy will need to be moved above any general web traffic firewall rule so it can be triggered. pipeslocks.com looks to be a good example of a site to block (if the page title is anything to go on).
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
@Dave and Yurisk: Thank you
certificate inspection ist also enabled for the policy but nothing happens: "https" resolves without any problem, for http I get the warning homepage from the Fortinet. Is there any global setting I have to set?
Have you enabled/configured a proxy option profile and added it to the firewall policy? Has this policy been moved up in the firewall chain before any general (web) firewall rules?
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1711 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.