No, in this case is impossible for me to acces, the page is blocked for the fortinet.

Thanks in advance

Too add to that everytime you make a change to profiles on a security policy the firewall automatically adds the ssl/ssh inspection profile to it. That is unless you configure it in the CLI then it does not.

I understand, but how can I resolve this problem?

thanks

You would remove the ssl/ssh inspection profile from the outbound policies. Thats the easiest way.

Outlook/Exchange do certificate pinning, so don't accept the certificate provided by the deep SSL inspection.

Rather than turn off SSL inspection for everything, a relatively simple solution is to figure out the URL (or IP) of your outlook/exchange server, then:

1. Create an address object for your mail server's URL

2. Duplicate the security policy rule you're currently using that has the deep SSL inspection, placing the duplicate before the old policy rule

3. Change the duplicate rule's destination to only be the mail server's URL address object

4. Change the duplicate rule's services to only be needed mail services (I think you'll also need HTTP and HTTPS - you can check the logs to see if other services are needed)

5. Change the duplicate rule's security profiles to do certificate inspection instead of deep SSL inspection

6. Enable the rule

Hope this helps.

tanr wrote:

Outlook/Exchange do certificate pinning, so don't accept the certificate provided by the deep SSL inspection.

 

Rather than turn off SSL inspection for everything, a relatively simple solution is to figure out the URL (or IP) of your outlook/exchange server, then:

 

1. Create an address object for your mail server's URL

2. Duplicate the security policy rule you're currently using that has the deep SSL inspection, placing the duplicate before the old policy rule

3. Change the duplicate rule's destination to only be the mail server's URL address object

4. Change the duplicate rule's services to only be needed mail services (I think you'll also need HTTP and HTTPS - you can check the logs to see if other services are needed)

5. Change the duplicate rule's security profiles to do certificate inspection instead of deep SSL inspection

6. Enable the rule

 

Hope this helps.

An easier solution, depending on the firmware version, would be:

1. Create an address object for your mail server's URL

2. Add the address object as 'exempt from SSL inspection' in the deep packet inspection security profile

No need for an entire new policy in this case.

@gsarica, good point!  That is simpler, though it doesn't restrict the non-inspected services to only mail-related services.  Do you know if being exempt from SSL inspection still does certificate inspection?

That's a good question, documentation doesn't specifically say that certificate inspection would still take place. We make sure to only add trusted sites to this list (i.e. our email server URL), and you can also choose to log exemptions.