Hello,
I am having issue with our Fortigate 100.
Previously my regional manager do changes on our devices.
It suppose to block youtube since we did not manage to block the youtube HTTPS.
For a few days it seem ok, but after awhile we notice book.google.com is blocked too which is a big issue to some of our department.
We also facing certificate error a lot as well.
When we try open youtube, it will say the block url:google.com.
We do not put google in blocking list. I tried put book.google.com too in webfiltering as "allow" but still no success.
Any advise unblocking the book.google.com?
Regards,
Sora
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Sora.
Welcome to the forums.
The Fortigate uses two possible methods (more in later firmware releases) for detecting sites visited via HTTPS: 1) SSL inspection and 2) deep packet inspection. SSL inspection is where the Fortigate peeks at the .cn name on the security certificate of the site visited, whereas deep packet inspection requires the Fortigate play a "man-in-the-middle" by substituting its own security certificate in order to decrypt the SSL connection in order to see what actual site is being visited. Because the 100 is so old (last firmware release for it was 3.0MR7 Patch 10) it is only able to use SSL inspection. Because youtube uses Google's *. wild card security certificate, the 100 will only see *.google as the visited HTTPS URL. (This is true for any Google related site that uses the same *. wild card security certificate.)
Your best option to "kinda/sorta" block youtube on your 100 if it is running the really old firmware, is to create a set of FQDN Youtube addresses (e.g. "www.youtube.com", "youtube.com", "i1.ytimg.com", "youtube-ui.l.google.com"), place them into a group and use it as a destination address in a firewall policy, set the action to block....then move this firewall policy up in the firewall chain so it triggers (before your general web traffic firewall policy).
As for allowing book.google.com, set the web filter URL action to exempt and (if possible) move this entry up in the URL list. The "Allow action" in URL filter will still subject the URL to other URL filter rules in your URL filter list.
If you still need further help, it would help us out if you provided more info on the problem, like what actual firmware is running on the 100 and may be a brief rundown on how the firewall policy rules are set up (screenshots san identifiable IPs), how your web filter policies are set up, etc.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1561 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.