Troubleshooting Tip: SSL-exempt setting does not show all of the addresses in the GUI and it is not possible to add them through the GUI

tpatel · ‎03-17-2024

Description

This article describes how to resolve an issue with SSL-exempt addresses not showing up as expected in the interface.

Scope

FortiOS 7.4.3.

Solution

In the SSL inspection profile in FortiOS 7.4.3, SSL-exempt addresses added through the GUI may not show up.

Trying to add the addresses through the CLI will result in them showing up correctly in the CLI configuration, but not in the GUI.

CLI configuration:

config ssl-exempt
            edit 1
                set type address
                set address "dmz"
            next
            edit 2
                set type address
                set address "gmail.com"
            next
            edit 3
                set type address
                set address "lan"
            next
            edit 4
                set type address
                set address "login.windows.net"
            next
            edit 5
                set type address
                set address "test"
            next
            edit 6
                set type address
                set address "wildcard.google.com"
            next
            edit 7
                set type wildcard-fqdn
                set wildcard-fqdn "skype"
            next
            edit 8
                set fortiguard-category 33
            next
            edit 9
                set fortiguard-category 87
            next
        end
    next
end

FortiGate GUI interface:

To work around this issue, add the addresses in the CLI. This issue will be resolved in the GUI in FortiOS 7.4.4.