Hot!How to block https sites whitout ssl inspection

Author
jft3166
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/05/02 00:43:08
  • Status: offline
2017/05/03 00:50:05 (permalink) 5.4
0

How to block https sites whitout ssl inspection

Hi everybody,
I have a fortigate 800C in 5.4 version.
I want to block HTTPS sites with the webfilter, but in my business we can't use ssl inpesction, it's fordibiden in relation to the law in France...
Do you know how I can block https sites whitout ssl inspection ?
I know the solution with a DNS server to redirect domains to a specific page or the solution to block the IP but it's too boring and not completely efficient.
Thanks for your answers.
best regard.
jft
#1

13 Replies Related Threads

    EMES
    Silver Member
    • Total Posts : 96
    • Scores: 10
    • Reward points: 0
    • Joined: 2014/12/19 07:34:18
    • Status: offline
    Re: How to block https sites whitout ssl inspection 2017/05/03 08:08:47 (permalink)
    0
    First create address objects with the FQDN of the websites you want to block. Then create a security policy going from inside to outside, service https, and the new address objects. I think that should block the https version of the website. Depending on how many website you are blocking this may get a bit much because of the DNS lookup the firewall has to do when it processes the policy and the IP may not be the same every time, https://forum.fortinet.com/FindPost/118125 .
     
    You can also create two different policies one for service HTTP and one for HTTPS, and attach different web filtering profiles to them. Blocking the sites you want on the HTTPS side. It will take more work to maintain both profiles but it should get you what you need.
    post edited by EMES - 2017/05/03 08:42:56
    #2
    hmtay_FTNT
    Platinum Member
    • Total Posts : 228
    • Scores: 45
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: How to block https sites whitout ssl inspection 2017/05/03 18:46:02 (permalink)
    0
    Hello jft,
     
    You do not need to enable deep-inspection to block most HTTPS sites. In your policies, if you enable "certificate-inspection" under SSL Inspection, the FortiGate will scan the Client Hello SNI or the Server Certificate commonName. It will not do a man-in-the-middle interception.
     
    For e.g. if you add a Static URL filter for "*.facebook.com". It will work for HTTP and HTTPS sessions. 
     
    HoMing
    #3
    jft3166
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/05/02 00:43:08
    • Status: offline
    Re: How to block https sites whitout ssl inspection 2017/05/09 06:34:10 (permalink)
    0
    Hello EMES and hmtay_FTNT,
     
    Thank you very much for your answer !! I will try your solutions.
     
    The solution of Emes is good but may be heavy to create all the objets whith fqdn.
     
    The solution of hmtay_FTNT seems better but it's appairs the page  "the connexion is not secured, add an exception... (page for problem of certificates) and after it appairs the message of Fortinet which says : "Web Page Blocked".
    The result is good because the pages are blocked! Pity there is this problem of page unsecured...
     
    Thanks !
     
    Jft
    #4
    shennar
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/05/24 01:53:31
    • Status: offline
    Re: How to block https sites whitout ssl inspection 2017/05/26 00:17:14 (permalink)
    0
    I have the same Problem.
    when i block https website i got error certificate not the block page from Fortigaurd
    #5
    Bromont_FTNT
    Platinum Member
    • Total Posts : 563
    • Scores: 43
    • Reward points: 0
    • Joined: 2012/11/19 07:22:36
    • Status: offline
    Re: How to block https sites whitout ssl inspection 2017/05/26 05:19:14 (permalink)
    0
     
    shennar, you are getting the block page from the Fortigate but it's HTTPS and thus presenting the Fortigate certificate. Your broswer expects HTTPS AND the certificate to match the site you're attempting to visit so it presents the certificate error. 
    #6
    shennar
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/05/24 01:53:31
    • Status: offline
    Re: How to block https sites whitout ssl inspection 2017/05/30 00:47:41 (permalink)
    0
    thank you Bromont_FTNT
     
    Is there any way i can disable ssl inspection
    because with upgrade to version 5.6 if you want to enable web filter you must enable ssl inspection.
    #7
    a.acampa
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/17 03:23:17
    • Status: offline
    Re: How to block https sites whitout ssl inspection 2017/07/07 07:40:23 (permalink)
    0
    shennar
    I have the same Problem.
    when i block https website i got error certificate not the block page from Fortigaurd


    This is not a problem of Fortinet, it is a feature limitation.
    it is due to the redirection oh https traffic.
    It is not possible perform redirection to a page on https traffic whthout https deep inspection, and it is true for all vendors.
     
    If you want block page you need deep inspection.
    #8
    AlexL
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/07/03 22:40:06
    • Status: offline
    Re: How to block https sites whitout ssl inspection 2017/07/11 06:14:32 (permalink)
    0
    You can block access to a secure site without using deep inspection. To do this, in the web filter, in the Static URL Filter section, add the required site for the block/allow in format - sitename:443
    In this way, you can block access to a specific site for HTTP (sitename:80) and allow access to a specific site for HTTPS (sitename:443). I hope this information will be useful.
    This works in version 5.6.0, but it will probably work in version 5.4.
    post edited by AlexL - 2017/07/11 09:03:31
    #9
    snobs
    Silver Member
    • Total Posts : 70
    • Scores: 4
    • Reward points: 0
    • Joined: 2011/02/19 22:41:39
    • Status: offline
    Re: How to block https sites whitout ssl inspection 2019/01/11 00:39:29 (permalink)
    0
    Hi,
     
    I have a similar problem. I do not want "deep inspection", but I want "https://domains.com" to be blocked
    Has something changed with FortiOS 6.0?
    e.g.
    http://pipeslocks.com/ is blocked, but
    https://pipeslocks.com/ isnt´t.
     
    On vdom root => Security Profiles => Web Filter => Static URL Filter I tried several entries, e.g.:
    *.pipeslocks.com
    pipeslocks.com:443
     
    #10
    Yurisk
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2011/12/04 03:30:01
    • Status: offline
    Re: How to block https sites whitout ssl inspection 2019/01/11 03:23:47 (permalink)
    0
    It cannot change with 6.0 as SSL inspection is about SSL more than it is about Forti or any other vendor actually.
    But between "Deep Inspection" and No Inspection there is a middle step - Certificate Inspection, have you tried it?
    The difference is that Forti looks at the certificate SNI values to understand what is the host a user is trying to reach, WITHOUT looking into packet contents. So it does not intercept/proxy SSL connection as Deep Inspection does and accordingly will not cause browsers to display Ceritficate Error message.
     
    And as kind of alternative (kind of as can be easily bypassed by a user) is DNS filtering which blocks not http/https requests to sites but DNS RESOLVING of those sites. It btw requires licensing and as I said can be circumvented by a prepared user.
     
    post edited by Yurisk - 2019/01/11 08:33:25
    #11
    Dave Hall
    Expert Member
    • Total Posts : 1394
    • Scores: 152
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: How to block https sites whitout ssl inspection 2019/01/11 08:03:36 (permalink)
    0
    @snobs
     
    Certificate inspection in this case is likely your only option unless you want to craft a firewall policy rule that blocks the FQDN or static IP for that site  - such a firewall policy will need to be moved above any general web traffic firewall rule so it can be triggered.  pipeslocks.com looks to be a good example of a site to block (if the page title is anything to go on). 
     
     

    Attached Image(s)


    NSE4/FMG-VM64/FortiAnalyzer-VM/5.2/5.4 (FWF40C/FW92D/FGT200B/FGT200D/FGT101E)/ FAP220B/221C
    #12
    snobs
    Silver Member
    • Total Posts : 70
    • Scores: 4
    • Reward points: 0
    • Joined: 2011/02/19 22:41:39
    • Status: offline
    Re: How to block https sites whitout ssl inspection 2019/01/11 15:23:20 (permalink)
    0
    @Dave and Yurisk: Thank you
     
    certificate inspection ist also enabled for the policy but nothing happens: "https" resolves without any problem, for http I get the warning homepage from the Fortinet. Is there any global setting I have to set?
    #13
    Dave Hall
    Expert Member
    • Total Posts : 1394
    • Scores: 152
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: How to block https sites whitout ssl inspection 2019/01/14 08:27:22 (permalink)
    0
    Have you enabled/configured a proxy option profile and added it to the firewall policy? Has this policy been moved up in the firewall chain before any general (web) firewall rules?

    NSE4/FMG-VM64/FortiAnalyzer-VM/5.2/5.4 (FWF40C/FW92D/FGT200B/FGT200D/FGT101E)/ FAP220B/221C
    #14
    Jump to:
    © 2019 APG vNext Commercial Version 5.5