Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pctech79
New Contributor

SSL Exemptions and Categories

with SSL Inspection, i have been running into problems with applications and devices being blocked.  i currently have deep-inspection applied to my policy and am playing around with overrides and custom categories.  for the most part this is working but it can get tedious with what to set.

 

is it safe to add an entire category as an exemption (IE: Business, Information Technology) or can this pose a threat?

3 REPLIES 3
Christopher_McMullan

To some extent, yes, but re-evaluations happen fairly constantly. If a site within a known good category is compromised or reported by a user or firewall, or an anomaly is detected by the FortiGuard network, the site can be re-categorized as Malicious until the site owners rectify the issue.

 

The detection and category change can take some time (so can categorizing zero-day threats), so you'd have to consider on balanace how sensitive you'd want your detection to be, but as long as you block the Malicious category, it should be safe up to a point.

Regards, Chris McMullan Fortinet Ottawa

pctech79
New Contributor

i was moreso referring to SSL Inspection exemptions and deep-inspection profile as i am understanding your reply as the category itself under Web Security.

AndreaSoliva
Contributor III

Hi

 

I think you are pointing to "exclude some sites" form being scaned by deep-inspection!? It depends what you would like to reach. If you are using deep-inspection (Cert on the client) you will have some problems on specific sites like Windows Update etc. This is regarding "how the cert is checked" for such services etc. Under FortiOS 5.2.x there is a new function which covers this. This means lets imagine you have deep-inspection and WebFilter implemented with categories etc. whatever you have. If you recognize that a site makes problems with deep-inspection and WebFilter and you would like to exclude a specific site from beeing used by deep-inspection use following command (FortiOS 5.2.x only):

 

            # config firewall ssl-ssh-profile             # edit [Use your profile]             # config ssl-exempt             # edit [Use a integer 1]             # set type [fortiguard-category | address | address6]             # set fortiguard-category [If option "set type fortiguard-category" is used set specific category]             # set address [if option "set type address" is used define address]             # end

 

There is also another possibility to exclude a specific site by "wildcard, regex, simple" for beeing used for UTM features like antivirus etc. This is configured in the WebFilter as specific URL Filter (both FortiOS 5.0.x and/or FortiOS 5.2.x):

 

       # config webfilter urlfilter        # edit [Use a specific Integer like 1]        # config entries        # edit [Use a specific Integer like 1]        # set url [set a specific URL like *.apple.com]        # set type [simple | regex | wildcard]        # set action [exempt | block | allow | monitor]        # set exempt [By default "all" is used meaning "all" UTM Features. If you like to set a specific one use | av | web-content | activex-java-cookie | dlp | fortiguard | range-block all]        # set status [enable | disable]        # unset referrer-host        # end        # end

 

The meaning of the excempt options are:

 

       activex-java-cookie     ActiveX, Java, and cookie filtering.        all                     Exempt from all.        av                      Antivirus filtering.        dlp                     DLP scanning.        filepattern             File pattern matching.        fortiguard              FortiGuard web filtering.        pass                    Pass single connection from all.        range-block             Exempt range block feature.        web-content             Web filter content matching.

 

After defining a URL Filter set the specific Integer like "1" used for "config webfilter urlfilter" within the specific webfilter:

 

# config webfilter profile

# edit [Name of the profile]

# config web

# set urlfilter-table 1

# end

# end

 

This means under FortiOS 5.2 you can over deep-inspection profile exclude some site to be used for deep-inspection and for FortiOS 5.0.x and/or FortiOS 5.2.x you can over URL Fitler exclude some sites (wildcard, simple, regex) from UTM Features.

 

Hope this helps

 

have fun

 

Andrea

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors