Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

SSL Inspection to selected websites



I want to accomplish what I think it makes a lot of sense for me but for some reason I didn't find a way to do it: I want to use SSL inspection ONLY for gmail, to avoid any worker uses any consumer email or a mail from any other GSuite domain. I don't want the firewall to process any other website with SSL, only gmail. I don't want to use the Application Control module, I need to minimize the resources to what it is needed, we have a Fortigate 100E and enabling the SSL deep inspection raises the CPU usage up to 40-50% because we have more than 100 people here.


Is there a way to do it? through GUI or CLI, I don't care, but I need that SSL inspection rule behaves like "any site but selected sites" instead of "all sites but exempted sites", since it's something I want to apply particularily to a selected number of sites, not removing it from them.


Thank you :)

Esteemed Contributor III

Typically it's the otherway you  make exception per-site for what you do not want to inspect. Have you  tried a wildcard FQDN in a policy rule and than enable ssl inspection for that one rule?











PCNSE NSE StrongSwan
New Contributor

Hi Ken;


I already tried but for some reason, fortigate does not allow wildcard FQDN's to be applied to Policy rules. I even tried to cheat it by making a group with some unrelated addresses and the group was appearing in the destination list to select from, but once I add any wildcard FQDN address that group dissapears from the selection list. To my understand, this is a nonsensical limitation but I don't mind as long as it can be accomplished through other way than installing Application Control module.


Thanks for your help :)


A wildcard FQDN can't be used as an src/dst address object at a policy with FGT, because it can't be translated to address(es) via DNS. If you are running 5.6.x or above, you have an option to choose an Internet Service "Google-Gmail" in GUI (in CLI, set internet-service enable/set internet-service-id 65646). The GUI shows me it includes "Total IP Ranges: 352, Total IPs: 119110". I'm not sure what exactly IP Ranges mean though.


Great, that seems to be a solution, but I need to know two things: does it really work with gmail only? and, having that amount of IP's will overload the firewall? I'm very concerned about the performance, since for some reason Fortinet put a joke CPU inside the +1000$ 100E firewall. For that price it would have to have at least an 8 core Atom paired with 8GB of RAM...


Thanks for your help.


I haven't tried it myself. But whoever offers a solution, I wouldn't trust anything until I test it myself or one of my coworkers. You should test it yourself and if it doesn't work, open a case with TAC. It's an advertised new feature with 5.6 from FTNT. If it doesn't work, they need to fix it.

New Contributor

Thank you Toshi :)


I can't update the FG right now since it is critical, I need to schedule a plan for doing it. Luckyly we bought a 100D without any license as a backup appliance in case the new 100E fails. Surprisingly, the 100D CPU is way better because I have exactly the same configuration and with the 100E the SSL deep inspection takes like 40-50% of the CPU but for the 100D only 25-30%. I'm starting to comprehend the nonsensical way of doing from Fortinet jaja, I started using these appliances only almost 2 years ago. I just hope the 100F is really something with a powerful x86 CPU and at least 8GB of RAM. Otherwise I'm planning to move to PFSense :(


Again, thank you very much :)


Was having the same problem. I used your suggestion. Not as uniform as I would like, but it's working. I created a separate ACL for the URL, but set it as Accept in the ACL. I added the URL to the Web filter as a custom category and blocked it in the web filter profile. I applied the web filter profile to the ACL. I applied SSL Certificate inspection in the ACL, to ID the URL and block it after the user accepts the security warning. I suppose sometime in the future we will deploy the Proxy SSL cert to all workstations.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors