Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mohar
New Contributor

Created on ‎12-02-2023 03:24 AM

Inspect All the traffic of clients.

Hi guys, This is probably gonna be a very dumb post because am new in this field. So, I have a fortinet firewall installed at premises my employer wants to inspect each and every url the clients visits even the data shared between server and client should be in clear text. I thought of implementing DPI but while studying it I found out websites which use HSTS don't allow DPI. Now in wondering of any solution need you guys help. I would appreciate any kind of help received. Thanks in advance.

https://9apps.ooo/
https://9apps.ooo/
Labels:
1213
0 Kudos
4 REPLIES 4
jiahoong112
Staff
Staff

Created on ‎12-02-2023 04:31 AM

In terms of URL tracking, Web Filter security profile does the job. You'll just need to set all the Allowed categories to Monitor so that legitimate websites will be logged as well.

To prevent certificate errors while using DPI, follow this document: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-deep-inspection-and-import-a... Alternatively, use a CA Certificate that is signed by a 3rd party instead of using Fortigate's CA certificate for the purpose of doing deep packet inspection.

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
1195
0 Kudos
mle2802
Staff
Staff

Created on ‎12-02-2023 06:11 AM

Hi @mohar,

I believe Web filter should do the job. Please refer to this document https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/833698/web-filter

Regards,
Minh

1185
0 Kudos
hbac
Staff
Staff

Created on ‎12-02-2023 06:48 AM

Hi @mohar,

 

You can use SSL deep inspection and whitelist websites that don't allow DPI. Please refer to this article on how to exempt: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-exempt-government-category-from-dee...

 

Regards, 

1180
0 Kudos
vbandha
Staff
Staff

Created on ‎12-02-2023 12:58 PM

Hello @mohar 

You may want to use Proxy inspection mode for your requirement. Here is more information on that:
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/969330/proxy-mode-inspection

 

In proxy mode, fortigate will act as intermediary and sessions created by user will be proxied by the fortigate. This allows fortigate to inspect the content of the sessions and allows more control over what is allowed. 

 

Here is how you can change the inspection mode:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Changing-the-inspection-mode-of-the-firewa...

 

You will also need to have SSL Deep inspection:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-deep-inspection-and-import-a...

 

https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/122078/deep-inspection

 

If you have additional question, let me know.

Regards,

Varun 

1163
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.