Hot!SSL Inspection to selected websites

Author
esteve
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/09/13 06:33:56
  • Status: offline
2018/06/27 02:00:40 (permalink)
0

SSL Inspection to selected websites

Hello;
 
I want to accomplish what I think it makes a lot of sense for me but for some reason I didn't find a way to do it: I want to use SSL inspection ONLY for gmail, to avoid any worker uses any consumer email or a mail from any other GSuite domain. I don't want the firewall to process any other website with SSL, only gmail. I don't want to use the Application Control module, I need to minimize the resources to what it is needed, we have a Fortigate 100E and enabling the SSL deep inspection raises the CPU usage up to 40-50% because we have more than 100 people here.
 
Is there a way to do it? through GUI or CLI, I don't care, but I need that SSL inspection rule behaves like "any site but selected sites" instead of "all sites but exempted sites", since it's something I want to apply particularily to a selected number of sites, not removing it from them.
 
Thank you :)
#1
emnoc
Expert Member
  • Total Posts : 5063
  • Scores: 307
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: SSL Inspection to selected websites 2018/06/27 05:21:23 (permalink)
0
Typically it's the otherway you  make exception per-site for what you do not want to inspect. Have you  tried a wildcard FQDN in a policy rule and than enable ssl inspection for that one rule?
 
*.gmail.com    HTTPS    SSL_INSPT_PROFILE
 
 
Ken
 
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#2
esteve
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/09/13 06:33:56
  • Status: offline
Re: SSL Inspection to selected websites 2018/06/27 05:54:27 (permalink)
0
Hi Ken;
 
I already tried but for some reason, fortigate does not allow wildcard FQDN's to be applied to Policy rules. I even tried to cheat it by making a group with some unrelated addresses and the group was appearing in the destination list to select from, but once I add any wildcard FQDN address that group dissapears from the selection list. To my understand, this is a nonsensical limitation but I don't mind as long as it can be accomplished through other way than installing Application Control module.
 
Thanks for your help :)
#3
Toshi Esumi
Expert Member
  • Total Posts : 1220
  • Scores: 82
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: SSL Inspection to selected websites 2018/06/27 10:13:11 (permalink)
0
A wildcard FQDN can't be used as an src/dst address object at a policy with FGT, because it can't be translated to address(es) via DNS. If you are running 5.6.x or above, you have an option to choose an Internet Service "Google-Gmail" in GUI (in CLI, set internet-service enable/set internet-service-id 65646). The GUI shows me it includes "Total IP Ranges: 352, Total IPs: 119110". I'm not sure what exactly IP Ranges mean though.
#4
esteve
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/09/13 06:33:56
  • Status: offline
Re: SSL Inspection to selected websites 2018/06/27 12:47:40 (permalink)
0
Great, that seems to be a solution, but I need to know two things: does it really work with gmail only? and, having that amount of IP's will overload the firewall? I'm very concerned about the performance, since for some reason Fortinet put a joke CPU inside the +1000$ 100E firewall. For that price it would have to have at least an 8 core Atom paired with 8GB of RAM...
 
Thanks for your help.
post edited by esteve - 2018/06/27 12:49:50
#5
Toshi Esumi
Expert Member
  • Total Posts : 1220
  • Scores: 82
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: SSL Inspection to selected websites 2018/06/27 12:54:13 (permalink)
0
I haven't tried it myself. But whoever offers a solution, I wouldn't trust anything until I test it myself or one of my coworkers. You should test it yourself and if it doesn't work, open a case with TAC. It's an advertised new feature with 5.6 from FTNT. If it doesn't work, they need to fix it.
#6
esteve
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/09/13 06:33:56
  • Status: offline
Re: SSL Inspection to selected websites 2018/06/28 13:38:47 (permalink)
0
Thank you Toshi :)
 
I can't update the FG right now since it is critical, I need to schedule a plan for doing it. Luckyly we bought a 100D without any license as a backup appliance in case the new 100E fails. Surprisingly, the 100D CPU is way better because I have exactly the same configuration and with the 100E the SSL deep inspection takes like 40-50% of the CPU but for the 100D only 25-30%. I'm starting to comprehend the nonsensical way of doing from Fortinet jaja, I started using these appliances only almost 2 years ago. I just hope the 100F is really something with a powerful x86 CPU and at least 8GB of RAM. Otherwise I'm planning to move to PFSense :(
 
Again, thank you very much :)
#7
jmaurelli
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/05/27 07:24:57
  • Status: offline
Re: SSL Inspection to selected websites 2018/06/29 09:09:19 (permalink)
0
Was having the same problem. I used your suggestion. Not as uniform as I would like, but it's working. I created a separate ACL for the URL, but set it as Accept in the ACL. I added the URL to the Web filter as a custom category and blocked it in the web filter profile. I applied the web filter profile to the ACL. I applied SSL Certificate inspection in the ACL, to ID the URL and block it after the user accepts the security warning. I suppose sometime in the future we will deploy the Proxy SSL cert to all workstations.
#8
Jump to:
© 2018 APG vNext Commercial Version 5.5