- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SSL Inspection to selected websites
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL Inspection to selected websites
Hello;
I want to accomplish what I think it makes a lot of sense for me but for some reason I didn't find a way to do it: I want to use SSL inspection ONLY for gmail, to avoid any worker uses any consumer email or a mail from any other GSuite domain. I don't want the firewall to process any other website with SSL, only gmail. I don't want to use the Application Control module, I need to minimize the resources to what it is needed, we have a Fortigate 100E and enabling the SSL deep inspection raises the CPU usage up to 40-50% because we have more than 100 people here.
Is there a way to do it? through GUI or CLI, I don't care, but I need that SSL inspection rule behaves like "any site but selected sites" instead of "all sites but exempted sites", since it's something I want to apply particularily to a selected number of sites, not removing it from them.
Thank you :)
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Typically it's the otherway you make exception per-site for what you do not want to inspect. Have you tried a wildcard FQDN in a policy rule and than enable ssl inspection for that one rule?
*.gmail.com HTTPS SSL_INSPT_PROFILE
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ken;
I already tried but for some reason, fortigate does not allow wildcard FQDN's to be applied to Policy rules. I even tried to cheat it by making a group with some unrelated addresses and the group was appearing in the destination list to select from, but once I add any wildcard FQDN address that group dissapears from the selection list. To my understand, this is a nonsensical limitation but I don't mind as long as it can be accomplished through other way than installing Application Control module.
Thanks for your help :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A wildcard FQDN can't be used as an src/dst address object at a policy with FGT, because it can't be translated to address(es) via DNS. If you are running 5.6.x or above, you have an option to choose an Internet Service "Google-Gmail" in GUI (in CLI, set internet-service enable/set internet-service-id 65646). The GUI shows me it includes "Total IP Ranges: 352, Total IPs: 119110". I'm not sure what exactly IP Ranges mean though.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great, that seems to be a solution, but I need to know two things: does it really work with gmail only? and, having that amount of IP's will overload the firewall? I'm very concerned about the performance, since for some reason Fortinet put a joke CPU inside the +1000$ 100E firewall. For that price it would have to have at least an 8 core Atom paired with 8GB of RAM...
Thanks for your help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't tried it myself. But whoever offers a solution, I wouldn't trust anything until I test it myself or one of my coworkers. You should test it yourself and if it doesn't work, open a case with TAC. It's an advertised new feature with 5.6 from FTNT. If it doesn't work, they need to fix it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Toshi :)
I can't update the FG right now since it is critical, I need to schedule a plan for doing it. Luckyly we bought a 100D without any license as a backup appliance in case the new 100E fails. Surprisingly, the 100D CPU is way better because I have exactly the same configuration and with the 100E the SSL deep inspection takes like 40-50% of the CPU but for the 100D only 25-30%. I'm starting to comprehend the nonsensical way of doing from Fortinet jaja, I started using these appliances only almost 2 years ago. I just hope the 100F is really something with a powerful x86 CPU and at least 8GB of RAM. Otherwise I'm planning to move to PFSense :(
Again, thank you very much :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Was having the same problem. I used your suggestion. Not as uniform as I would like, but it's working. I created a separate ACL for the URL, but set it as Accept in the ACL. I added the URL to the Web filter as a custom category and blocked it in the web filter profile. I applied the web filter profile to the ACL. I applied SSL Certificate inspection in the ACL, to ID the URL and block it after the user accepts the security warning. I suppose sometime in the future we will deploy the Proxy SSL cert to all workstations.
Related Posts
Labels
-
FortiGate
6,496 -
FortiClient
1,297 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
332 -
FortiSwitch
331 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
FortiAuthenticator
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.