DNS web filtering instead of SSL inspection?

LanceMc · ‎06-13-2014

Hi, I want to set up some basic web category filtering for our school. A common problem is that we can block " http://facebook.com" but we can' t block " https://facebook.com" . Is there an easy way to do this without setting up SSL Inspection? I have seen articles about DNS Inspection mode for the web filtering but no doc on how to set it up. Do the clients need to use the Fortigate as their DNS server? Currently we use internal MS dns with forwarding to external (ISP) dns. How would this need to change to use DNS mode? TIA

Bromont_FTNT · ‎06-19-2014

What firmware are you running? You can block sites without deep SSL inspection by using the certificate CN and/or SNI

LanceMc · ‎06-19-2014

Hi, thanks for your reply. Firmware is v5.0,build3608 (GA Patch 7). Can you send be a link to doc or basic instructions for setting up this blocking filter?

Dipen · ‎06-21-2014

FortiOS 5.0.x has issues with blocking HTTPS sites but FortiOS 5.2 is out, it has got better HTTPS blocking capabilities. In any case you always use Application Control instead of Web Filters to achieve your results.

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

pcraponi · ‎06-22-2014

you can follow this doc to block HTTPS without deep scan: http://docs.fortinet.com/d/fortigate-configuring-fortios-v5.0-webfiltering-for-https-scanning-without-ssl-deep-scanning Not work for all websites (youtube, for example) but for facebook works fine. This method block using cert CN... regards, paulo raponi

Regards, Paulo Raponi

Dipen · ‎06-22-2014

All because of certificates. Mismatch in URL & CN in certificates causes this always . Youtube is a pain because the certificate of YouTube is *.google.com Application Control I s more helpful to block HTTPS.

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

LanceMc · ‎06-22-2014

Many thanks for the replies. I have arranged for the OS to be upgraded to 5.2 then we will try the solutions suggested.

pcraponi · ‎06-22-2014

5.2 are a very new OS. It have some bugs yet... The best way are you trying with 5.0.7 and if you have NO SUCCESS, you can upgrade to 5.2... I can confirm that 5.0.7 works fine with HTTPS block..

Regards, Paulo Raponi

Bromont_FTNT · ‎06-23-2014

Just to be clear... before v5 non deep SSL inspection used only certificate CN thus Google sites could not be differentiated. in v5 inspection via SNI was also added so Youtube etc can be blocked without SSL deep inspection.

Prab · ‎07-11-2018

Hi all,

In firmware version 5.6.3, build1547, I tested the Certificate based inspection & I was able to block youtube.com and allow google.com using Web filter only.

The following screenshot shows it:

I did not get any certificate warnings. The client browser will just see default Error_CONNECTION_CLOSED or The site can't be reached message. It's worth noting that, I did configure my filter to not to display a block page/replacement message.

Hope it helps!

Thanks & regards,

Prab :)