HI FortiGuys,
One of my clients wanted to block fb but without using ssl inspection as he didn't want to install the cert to 100s of his staff computers.
I explained that with that there would be no other way to get it done.
Then to convince the client I opened a fortinet ticket and got the same response that this can't be done without the ssl inspection and cert installation.
Now this guy hired some other service provider and those guys simply blocked social media signatures in app control and applied it to the policy and IT HAS WORKED.
It doesn't say "fortiguard blocked" but just keeps the loading icon spinning and fb doesn't load at all.
The whole situation is turning so embarrassing.
Please tell me if this is a proper workaround? Will this work in the long term? How is this even working, looks like the browser simply doesn't complete the request in some way.
Please any explanation here, thanks.
Solved! Go to Solution.
Hello,
Let me explain. To block most of the SSL applications, all that is required is certificate-inspection, not necessarily deep-inspection. Deep-inspection allows the Fortigate to identify more specific features of let's say Facebook - like Facebook_Chat and Facebook_Video. If your requirement is simply to block the application entirely, setting Facebook to Block with certificate-inspection is enough. The Fortigate parses the SNI in the SSL session to decide what's the hostname of the session's destination.
>>It doesn't say "fortiguard blocked" but just keeps the loading icon spinning and fb doesn't load at all.
If a SSL session is blocked without deep-inspection enabled - meaning only certificate-inspection - is used, the Fortigate will not be able to send a replacement message. The replacement message is sent on a "best attempt" basis, meaning there will be some scenarios where the Fortigate cannot send the replacement message without breaking the fundamentals of the HTTP protocol.
HoMing
I think this is liaised with dns. I work with a customer who I configured application control for. Their HA cluster doesn't have ssl inspection enabled, but facebook still shows up in the application logs. Also when you enable certificate inspection, the certificate domain name is readable. I always assume(d) that the FGT uses the dns entries. But I will follow this thread to know it maybe for sure.
Kind regards,
Ralph Willemsen
Arnhem, Netherlands
Thanks for the response ralph.
fortigate TAC did not even mention this is a way to block https websites and this has created an issue for us now.
will this successfully block the sites or is there a chance of them opening up at some point?
Hello Allwynmasc, I did a quick check and I noticed that most/all(?) applications are recognized (e.g. Skype, Google)
I don't think it will notice subitems , like on on facebook (e.g. chat or video) but I recommend you to test it.
I think it will be succesfully blocked for what I have seen. Please let me know if you find something.
Regards,
Ralph Willemsen
Thanks.
The thing is we simply told the client he will have to install the ssl certificate in all his 100+ machines after which he went to different firm and got this solution without installing the ssl cert.
Fortinet should at least put this out there, but they sad part their own TAC is not aware of half the features.
Hi guys,
Long time ago about this post, did you get any answer?
I have the same scenario, my FortiGate is recognising and blocking all the https applications (facebook, youtube, etc.) and it is not using deep inspection. How then does FortiGate read the encrypted traffic?
Regards,
Julián
Hello,
Let me explain. To block most of the SSL applications, all that is required is certificate-inspection, not necessarily deep-inspection. Deep-inspection allows the Fortigate to identify more specific features of let's say Facebook - like Facebook_Chat and Facebook_Video. If your requirement is simply to block the application entirely, setting Facebook to Block with certificate-inspection is enough. The Fortigate parses the SNI in the SSL session to decide what's the hostname of the session's destination.
>>It doesn't say "fortiguard blocked" but just keeps the loading icon spinning and fb doesn't load at all.
If a SSL session is blocked without deep-inspection enabled - meaning only certificate-inspection - is used, the Fortigate will not be able to send a replacement message. The replacement message is sent on a "best attempt" basis, meaning there will be some scenarios where the Fortigate cannot send the replacement message without breaking the fundamentals of the HTTP protocol.
HoMing
Hi HoMing,
It makes much sense. That answers the question of my other post:
https://forum.fortinet.com/tm.aspx?m=157911
Very well explanation. Thanks for clarifying.
Regards,
Julián
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.