Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fernando
New Contributor

I dont have acces to outlook

Hi.

After to renew our suspcritions for our forti 60D, We cannot access with office 365 application and office 365 through to the web.

I enclose picture with the message.

Thanks in advance

.

9 REPLIES 9
EMES
Contributor

It looks like your outbound policies have an ssl/ssh inspection profile enabled on them. Your traffic might be decrypted by the firewall. If you hit yes and continue do you get to the site? if so then that is all it should be.

Fernando
New Contributor

No, in this case is impossible for me to acces, the page is blocked for the fortinet.

Thanks in advance

EMES

Too add to that everytime you make a change to profiles on a security policy the firewall automatically adds the ssl/ssh inspection profile to it. That is unless you configure it in the CLI then it does not.

Fernando
New Contributor

I understand, but how can I resolve this problem?

thanks

 

EMES

You would remove the ssl/ssh inspection profile from the outbound policies. Thats the easiest way.

tanr
Valued Contributor II

Outlook/Exchange do certificate pinning, so don't accept the certificate provided by the deep SSL inspection.

 

Rather than turn off SSL inspection for everything, a relatively simple solution is to figure out the URL (or IP) of your outlook/exchange server, then:

 

1. Create an address object for your mail server's URL

2. Duplicate the security policy rule you're currently using that has the deep SSL inspection, placing the duplicate before the old policy rule

3. Change the duplicate rule's destination to only be the mail server's URL address object

4. Change the duplicate rule's services to only be needed mail services (I think you'll also need HTTP and HTTPS - you can check the logs to see if other services are needed)

5. Change the duplicate rule's security profiles to do certificate inspection instead of deep SSL inspection

6. Enable the rule

 

Hope this helps.

gsarica

tanr wrote:

Outlook/Exchange do certificate pinning, so don't accept the certificate provided by the deep SSL inspection.

 

Rather than turn off SSL inspection for everything, a relatively simple solution is to figure out the URL (or IP) of your outlook/exchange server, then:

 

1. Create an address object for your mail server's URL

2. Duplicate the security policy rule you're currently using that has the deep SSL inspection, placing the duplicate before the old policy rule

3. Change the duplicate rule's destination to only be the mail server's URL address object

4. Change the duplicate rule's services to only be needed mail services (I think you'll also need HTTP and HTTPS - you can check the logs to see if other services are needed)

5. Change the duplicate rule's security profiles to do certificate inspection instead of deep SSL inspection

6. Enable the rule

 

Hope this helps.

An easier solution, depending on the firmware version, would be:

 

1. Create an address object for your mail server's URL

2. Add the address object as 'exempt from SSL inspection' in the deep packet inspection security profile

 

No need for an entire new policy in this case.

tanr
Valued Contributor II

@gsarica, good point!  That is simpler, though it doesn't restrict the non-inspected services to only mail-related services.  Do you know if being exempt from SSL inspection still does certificate inspection?

 

 

gsarica

That's a good question, documentation doesn't specifically say that certificate inspection would still take place. We make sure to only add trusted sites to this list (i.e. our email server URL), and you can also choose to log exemptions.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors