Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
thrillseeker
New Contributor

Web Filtering Explicit Proxy and CONNECT method

Hi all,

 

I just configured explicit proxy with a web filtering profile based on fortiguard web categories.

I'm wondering if it's possible on FG in explicit proxy mode to block certain Fortiguard web categories based on the URL string used in the CONNECT 443 method for SSL. Please note I don't want to use any SSL inspection profiles (certificate/full) on my explicit web proxy rules!

Since modern browsers especially Google Chrome use HSTS, SSL inspection is not an option for me at the moment. Other web proxy vendors like Bluecoat are able to handle web category filtering without any SSL inspection based on URL string being used int the CONNECT 443 method.

 

Thanks a lot for your feedback

cheers

Thrillseeker

 

5 REPLIES 5
hmtay_FTNT
Staff
Staff

Hello thrillseeker,

 

Yes, the FortiGate is capable of doing web filtering without SSL deep-inspection. The FortiGate can inspect the SNI on the Client Hello or the server SSL Certificate. You need to enable certificate-inspection instead of deep-inspection. 

thrillseeker

Hi,

Thanks for your feedback.

As I wrote when the website uses HSTS certificate SNI inscpection is not a good solution.

My question was if FG in explicit web proxy mode is able to detect client requested URL's within the CONNECT Method, without any SSL profile enabled?

 

Thanks & Regards

Lukas 

hmtay_FTNT

>>As I wrote when the website uses HSTS certificate SNI inscpection is not a good solution.

 

With certificate-inspection, the FG does not do a MitM. The FG does not replace the SSL Certificate with the FG's Certificate. Whether a website uses HSTS or not, if we do not replace the SSL Certificate, you will not get a browser error. 

 

>>My question was if FG in explicit web proxy mode is able to detect client requested URL's within the CONNECT 

 

Yes the FG can. You can give it a try and let me know here if you cannot block a site.

thrillseeker

Hi,

 

I know that the FG is able to handle it with certificate inspection only. But the problem is when the site uses HSTS (e.g. https://www.facebook.com, or https://www.youtoube.com) the client will get an certificate error because the block page form the FG will be delivered in the same HTTPS connection and this is of course some man-in-the-middle attack in the context of HSTS. With HSTS the client will be forced (servers sends HSTS header info) to send any data to a domain (e.g. facebook.com) over a secured connection only for a certain amount of time.

 

As a workaround I set the "https-replacemsg" in the webfilter profile to "disable". So client will get a TCP RESET instead of a block page (e.g. https://www.facebook.com) over HTTPS. It's not the best solution but even better than a certificate error anytime for the block page when the site uses HSTS. Of course the other solution would be to trust the FG's certificate on all client systems, but unfortunately this is not possible in our environment.

 

So I'm still wondering if there is no other solution around when using the FG as explicit proxy (not in TRANSPARENT Proxy Mode!) to do URL filtering for HTTPS with CONNECT method hostname. Because at this point the SSL connection between client and proxy (FG) is not fully established and the block page can be delivered back over HTTP (e.g. tcp/8080) to the client without any certificate error.

 

Thanks

Thrillseeker

 

hmtay_FTNT

Hello ThrillSeeker,

 

I understood your question now. Thank you for the explanation. I am sorry to tell you that we are not able to do the HTTP replacement message on the CONNECT request for a HTTPS session. The explicit proxy will process the CONNECT request and the first packet forwarded to the Web Filter/App Control module is the Client Hello packet. 

 

Besides the 2 solutions you mentioned, the other solution (more pricey) is to purchase a properly signed SSL Certificate and import the private key into the FortiGate. That will build the proper trust chain and you will not get a HSTS error for those sites. 

Sorry for the inconveniences. Let me know if you have more questions. Thanks!

 

HoMing

Labels
Top Kudoed Authors