Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FlavioB
New Contributor III

[OS 4.3.14] Blocking https URLs with explicit proxy

Hello there. I' ve set up explicit proxy and I have 3 different webfilter profile bound to 3 different FSSO user groups. There' s one webfilter profile which completely blocks all categories except for one local category which contains a couple of websites. Now the problem is, that if a user which underlies to this " no-internet" profile puts https instead of http in his browser, he/she is able to access blocked sites (facebook.com for example). I managed to enable " HTTPS Scanning" in this " no-internet" webfilter profile, with no success. Even the protocol options specific for this policy have Deep Scanning enabled, but to no use. How do I have to proceed to achieve my goal? Thanks and regards, F.
3 REPLIES 3
Dave_Hall
Honored Contributor

Anything preventing you from just setting the port access to port 80 only on that fw policy that " no-internet" profile is tied to? Does that person(s) need web access to any other port other that port 80? Some of our own fgt devices do not have content processors capable of SSL scanning so what we have done is simply block port 443 to common web sites (i.e. Facebook, Youtube, etc.).

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
FlavioB
New Contributor III

Hy Dave. I' m on a 620B-Cluster (regarding the CPs)... In fact, I also was thinkinig about allowing only port 80, but some of the allowed websites have to be accessible via both http and https... Now you see where I' m stuck at! Any help here? Thanks and regards, F.
Dave_Hall
Honored Contributor

In fact, I also was thinkinig about allowing only port 80, but some of the allowed websites have to be accessible via both http and https... Now you see where I' m stuck at!
If we are talking about a handful of websites you could always set up fqdn addresses then group them together and use that on the fw policy as dest address.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Labels
Top Kudoed Authors