Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
othmanyeopzainuddin
New Contributor

Web filtering: Unable to allow access to book.google.com

Hello,

I am having issue with our Fortigate 100.

Previously my regional manager do changes on our devices.

It suppose to block youtube since we did not manage to block the youtube HTTPS.

 

For a few days it seem ok, but after awhile we notice book.google.com is blocked too which is a big issue to some of our department.

We also facing certificate error a lot as well.

 

When we try open youtube, it will say the block url:google.com.

 

We do not put google in blocking list. I tried put book.google.com too in webfiltering as "allow" but still no success.

 

Any advise unblocking the book.google.com?

 

Regards,

Sora

 

1 REPLY 1
Dave_Hall
Honored Contributor

Hi Sora.

 

Welcome to the forums.

 

The Fortigate uses two possible methods (more in later firmware releases) for detecting sites visited via HTTPS: 1) SSL inspection and 2) deep packet inspection.  SSL inspection is where the Fortigate peeks at the .cn name on the security certificate of the site visited, whereas deep packet inspection requires the Fortigate play a "man-in-the-middle" by substituting its own security certificate in order to decrypt the SSL connection in order to see what actual site is being visited.  Because the 100 is so old (last firmware release for it was 3.0MR7 Patch 10) it is only able to use SSL inspection.  Because youtube uses Google's *. wild card security certificate, the 100 will only see *.google as the visited HTTPS URL.  (This is true for any Google related site that uses the same *. wild card security certificate.)

 

Your best option to "kinda/sorta" block youtube on your 100 if it is running the really old firmware, is to create a set of FQDN Youtube addresses (e.g. "www.youtube.com", "youtube.com", "i1.ytimg.com", "youtube-ui.l.google.com"), place them into a group and use it as a destination address in a firewall policy, set the action to block....then move this firewall policy up in the firewall chain so it triggers (before your general web traffic firewall policy).

 

As for allowing book.google.com, set the web filter URL action to exempt and (if possible) move this entry up in the URL list.  The "Allow action" in URL filter will still subject the URL to other URL filter rules in your URL filter list.

 

If you still need further help, it would help us out if you provided more info on the problem, like what actual firmware is running on the 100 and may be a brief rundown on how the firewall policy rules are set up (screenshots san identifiable IPs), how your web filter policies are set up, etc.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors