SSL Deep Inspection / Cookbook discrepancies

Eric_Brown · ‎05-13-2016

The Fortinet documentation to prevent certificate warnings says, regarding the Deep Inspection Policy,

In this policy, the web categories Health and Wellness, Personal Privacy, and Finance and Banking are excluded from SSL inspection by default. Applications that require unique certificates, such as iTunes and Dropbox, have also been excluded.

However, on my configuration, the Deep Inspection Policy does not have these exceptions enabled. Additionally, the addresses (see screenshot) like "Android," "AppStore," etc., are not in my configuration.

My questions, then, are:

[ol]

Are these Addresses supposed to be included out of the box, and if not, does Fortigate publish the configuration files so I can add them? These addresses are referenced elsewhere, so it would be nice to have them.

Is the Deep Inspection Policy indeed supposed to exclude Dropbox, or is the documentation incorrect?

If the Deep Inspection Policy does not include the Dropbox desktop client, what is the best way to exclude it from scanning (there was another post in the forums that suggested making a new firewall policy, but I don't understand how to only apply it to the Dropbox Desktop Client).[/ol]

Thanks for your help.

Fortigate 60C

v5.2.7,build718

Baptiste · ‎05-17-2016

Hello,

thoses adresses are manually created (it's an example) : you choose what you want to exempt from DPI

you have to create your own adress list based on what you want/need

2 FGT 100D + FTK200

3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E