Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tquessada
New Contributor

SSL inspection and dropbox

Hi everyone, I' m trying to use SSL inspection on https policy rule, everything seem to work after importing the fortinet CA certs (Firefox) except dropbox (" can' t established secured connection" ). I tried with windows and Linux after importing SSL CA cert but Dropbox refuse to connect. My tests: Firefox on https webiste :OK curl -v https://www.dropbox.com: OK openssl s_client -s connect www.dropbox.com: 443 -showcerts: OK display fortinet CA. I can see with wireshark an TLSV1 error " unknown CA" . I hope there is someone that solve this issue or that could explain my mistake. Thansks for your help
6 REPLIES 6
emnoc
Esteemed Contributor III

Maybe dropbox is not support the fortinet CA. You could place a fwpolicy rule before your general rule to make an exception.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
romanr
Valued Contributor

The DropBox client does not use the machines certificate store to check validity. It has its own mechanism to check the authenticity of the server it is connecting to. So there is no possibility to decypher the DropBox traffic and scan it! In most scenarios this would lead to disallow DropBox at all, because it would make most security polices meaningless if you scan SSL on the one hand and have no control over DropBox... If you really need dropbox you would need to do it the way emnoc mentioned - find out the IPs of the dropbox servers and create a firewall policy for them above the ssl scanning policy. From a corporate point of view - If you need that kind of cloud feature for mobile and other devices: I would invest in some " private cloud" product and host it for myself (easy and not expensive with qnap or synology nas devices - but there are for sure a lot products on the market)... br, Roman
tquessada

Thank for your help. Even with the Explicit porxy I can' t make SSL inspection and/or DLP working. I' ll follow your advice and i' ll try something like owncloud (opensource) or sharepoint (Microsoft Integrated).
billp
Contributor

If you' re using FortiOS 5.x, I' m wondering if you could create a special SSL exception for dropbox. I don' t think you could otherwise easily create a firewall policy to exempt Dropbox because it uses Amazon S3. You' d have to exclude all of Amazon S3 access. In the CLI, I found these:
 config ftgd-wf
 
 exempt-ssl {all | <category_str>} Enter categories to exempt from SSL inspection.
If you try exempt-ssl ' File Sharing and Storage' it might ignore Dropbox. Might be worth a try.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
PaulMetz
New Contributor

I'm no expert, but this is what i did. Under security Profiles, SSL/SSH Inspection. I first cloned the deep inspection and then exempt from SSL reputable websites. Under website categories I added Finance and banking, which included Dropbox. I still have a firewall antivirus and malware protection on each desktop, so I believe I should be good. You also have the ability to remove other websites from the Finance and banking template. Please let me know if anyone disagrees, I'm new to this but I also feel it is something most of us should know. After this be sure to edit your IPv4 Policy and link the SSL Inspection to your new custom SSL

Paul

 

aluby7

I believe Dropbox usually only causes issues with the Desktop/Mobile Application. In the browser Chrome should pay attention to your internal certificates, but the application just fails if it see's something other than it's own certificate due to certificate pinning. This is also why iTunes has issues.

Labels
Top Kudoed Authors