Hi guys, This is probably gonna be a very dumb post because am new in this field. So, I have a fortinet firewall installed at premises my employer wants to inspect each and every url the clients visits even the data shared between server and client should be in clear text. I thought of implementing DPI but while studying it I found out websites which use HSTS don't allow DPI. Now in wondering of any solution need you guys help. I would appreciate any kind of help received. Thanks in advance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
In terms of URL tracking, Web Filter security profile does the job. You'll just need to set all the Allowed categories to Monitor so that legitimate websites will be logged as well.
To prevent certificate errors while using DPI, follow this document: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-deep-inspection-and-import-a... Alternatively, use a CA Certificate that is signed by a 3rd party instead of using Fortigate's CA certificate for the purpose of doing deep packet inspection.
Hi @mohar,
I believe Web filter should do the job. Please refer to this document https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/833698/web-filter
Regards,
Minh
Hi @mohar,
You can use SSL deep inspection and whitelist websites that don't allow DPI. Please refer to this article on how to exempt: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-exempt-government-category-from-dee....
Regards,
Hello @mohar
You may want to use Proxy inspection mode for your requirement. Here is more information on that:
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/969330/proxy-mode-inspection
In proxy mode, fortigate will act as intermediary and sessions created by user will be proxied by the fortigate. This allows fortigate to inspect the content of the sessions and allows more control over what is allowed.
Here is how you can change the inspection mode:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Changing-the-inspection-mode-of-the-firewa...
You will also need to have SSL Deep inspection:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-deep-inspection-and-import-a...
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/122078/deep-inspection
If you have additional question, let me know.
Regards,
Varun
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.