Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vvserpent
New Contributor II

Webfilter and Full SSL Inspection

Dear Sir,

 

 

I planning to implement the Fortigate Webfitler .

 

What is the effect to the Fortigate Webfilter if Full SSL Inspection is not enabled?

 

Without Full SSL Inspection, the function of the Webfilter is limited, as it cannot decrypt and  analyse the whole URL inside the HTTPS connection, some harmful URL / Website cannot be blocked?

 

It is painful to install the Fortigate Certificate into huge amount of workstation manually. ..Is there alternative way to do the Webfilter task ?

4 REPLIES 4
sw2090
Honored Contributor

In fact without Deep Packet Inspection the URL filter cannot work. So the webfilter in this case can only check domain names against the FortiGuard cathegories since this information can be gathered out of the request without decrypting it. So this is the limit it then has.

Also all other UTM filters like IPS, AppControl or FileFilter etc will not work without DPI.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
vvserpent
New Contributor II

I did further research ,  the windows GPO can help to install SSL certificate into computers. It is time to study GPO .

sw2090
Honored Contributor

yes GPO or Intunes. That's the way we did it here.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
AEK
Honored Contributor II

Hello

Either you install FGT certificate on the client hosts with GPO, or you install your domain's sub CA certificate on the FortiGate.

Ref:   https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/680736/microsoft-ca-deep-packet-inspect...

AEK
AEK
Labels
Top Kudoed Authors