SSL Inspection Address range

Wayne11 · ‎04-30-2014

Hi guys We are running more and more into problems with the SSL Inspection and a few Applications. The normal HTTPS policy with enabled SSL Inspection won' t allow anymore the following services: - Microsoft Lync 2013 / Office 365 - Citrix GoToMeeting und GoToWebinar - DropBox - A few SSL VPN clients like SonicWall etc. So we create a own HTTPS policy for each User group without SSL Inspection and the application specific IP ranges as target. For example, Mircosoft Lync 2013 / Online 365 needs 20 IP ranges to establish a connection so it' s time-consuming but still manageable. But Citrix use too many IP ranges to put them into an address group. http://img.citrixonline.com/dtsimages/ad/pdf/OSDFirewallSpec.pdf I understand it' s not possible to use FQDN with wildcards, but how else we can solve those problems? How do you guys manage such applications and why they have troubles with SSL Inspection? Thx for any suggestions. Wayne

HA · ‎04-30-2014

Hello, It' s possible by using domain name. 1) Create a Rating Override and assign to Custom1 Example URL: fortinet.com Category: Custom Categories Sub-Category: custom1 2) Allow Local Categories in the Web Filter Profile. 3) From the CLI, under the specific Web Filter Profile, Disable SSL Inspection for the Custom1 Category. Regards, HA

Bromont_FTNT · ‎04-30-2014

Wayne, Those services are looking for specific client (and/or server) certificates so any kind of man-in-the-middle will break the connection.... SSL inspection will not be possible. FQDN probably won' t be a good alternative for larger companies, you also likely need to sniff traffic to see what the DNS requests from these applications are. SSL exemption for business/custom categories may be possible.

Wayne11 · ‎04-30-2014

Hi HA and thanx for the quick reply. You are my hero, set " exempt-ssl" to the Webfilter Profile override category and everything works like a charm. Thx a lot

clarkg · ‎05-01-2014

Whoa wait. You can exempt ssl inspection from just 1 category?!? How do I do that?

Wayne11 · ‎05-02-2014

Just create a own Rating Override Sub-Category e.g. " withoutSSLinspection" Put all the domains into that group Edit the Webfilter profile and if you don' t have already, enable the " FortiGuard Categories" and make sure the new created Sub-Category is set to " Allow" or " Monitor" under the " Local Categories" //check the ID of the new Category config webfilter ftgd-local-cat sh //note the ID end //make the needed changes in the webfilter profile config webfilter profile edit " profile name" config ftgd-wf set exempt-ssl " Category ID" end Works perfectly here

clarkg · ‎05-05-2014

Just create a own Rating Override Sub-Category e.g. " withoutSSLinspection" Put all the domains into that group Edit the Webfilter profile and if you don' t have already, enable the " FortiGuard Categories" and make sure the new created Sub-Category is set to " Allow" or " Monitor" under the " Local Categories" //check the ID of the new Category config webfilter ftgd-local-cat sh //note the ID end //make the needed changes in the webfilter profile config webfilter profile edit " profile name" config ftgd-wf set exempt-ssl " Category ID" end Works perfectly here

So after I do this, is there a way in the CLI to check and make sure the change took effect?

clarkg · ‎05-08-2014

//make the needed changes in the webfilter profile config webfilter profile edit " profile name" config ftgd-wf set exempt-ssl " Category ID" end

Also, do I need to do this for each profile, or does changing it for one profile, change it for all of them?

clarkg · ‎05-05-2014

If you put a domain into a url filter on a profile, and set the status to exempt, doesn' t that exempt it from ssl inspection too? especially if you use a reg expression?

Wayne11 · ‎05-05-2014

No, for a webfilter url the FG needs to break up the SSL traffic first, so it' s replacing the certificate already at that stage.