Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mseiler0815
New Contributor II

Created on ‎07-21-2022 01:40 AM

SSL Decryption Exclusion List

Hello community,

 

I'm looking for a list with SSL Decryption exlusions which are not in the default Deep Inspection Profile.

 

Things like skype, citrix and apple, which are already are excluded.

 

I'm facing issues with (for example) gotomeeting and other apps. Maybe someone can share a resource with this kind of information (ip and/or fqdn).

 

Sure, troubleshooting is possible. But if someone already solved this case, it would help the community. And this is just an example. A list to contribue would be great.

 

Thank you

 

/Michael

Labels:
1919
0 Kudos
4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Created on ‎07-24-2022 12:06 AM

Hello Michael,

 

Thank you for using the Community Forum.

 

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
1904
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎07-25-2022 10:54 PM

Hello Michael,

 

I am still looking it is possible to get a list as requested.

 

Meanwhile, I am sharing this document:

 

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/122078/deep-inspection

 

Could you please tell me if it is helping?

 

Regards,

Anthony-Fortinet Community Team.
1896
lummi
New Contributor

Created on ‎07-26-2022 08:14 AM Edited on ‎07-26-2022 08:15 AM

Hi Michael,

 

I would suggest you to use the "Internet Service Database" objects for this. These are dynamic objects maintained by Fortinet including IPs / Ports for specific services (contract required). So you would create two firewall policies - one for the default web traffic with deep inspection enabled and a second one above with Internet Service Object as destination and deep inspection disabled. Worked perfect for me in the past.

 

2022-07-26.png

 

 

- Lummi

1890
mseiler0815
New Contributor II

Created on ‎07-26-2022 11:47 PM

Hey Lummi,

 

very good idea. Thank you. This will help in this particular case.

 

But what about all repository servers from ubuntu/suse/debian and so on? This is just another example.

Not all distros are covered with isdb. 

It would be awesome if someone already figured out which ip/fqdns are required to get this running.

 

Regards

 

Michael 

1874
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.