Description
This article describes how to exempt Webex for SSL Inspection.
Solution
Here is a step by step guide:
1. Configure firewall address which point towards your webex servers.
config firewall address
edit "webex1"
set subnet 62.109.192.0/18
next
...
edit "webex9"
set subnet 210.4.192.0/20
next
end
2. Configure a firewall address group
config firewall addrgrp
edit "WEBEX"
set member "webex1" "webex2" "webex3" "webex4" "webex5" "webex6" "webex7" "webex8" "webex9"
next
end
3. Configure your firewall SSL-SSH profile:
config firewall ssl-ssh-profile
edit "https"
config https
set ports 443
end
config ftps
set ports 990
set status disable
end
config imaps
set ports 993
set status disable
end
config pop3s
set ports 995
set status disable
end
config smtps
set ports 465
set status disable
end
config ssl-exempt
edit 1
set type address
set address "WEBEX"
next
end
next
end
4. Create your firewall policy.
On FortiOS 5.6 the administrator can create a Firewall Policy and add an Internet Service as the destination Address. Therefore, while creating a Firewall Policy on top of the sequence list, select your desired Incoming Interface, Source Address and Outgoing Interface and select Cisco-Webex as the Destination. Moreover, you will apply NAT if needed and disable any SSL inspection for this traffic.
config firewall policy
edit <Policy ID>
set name "Webex"
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set internet-service enable
set internet-service-id 1966183
set action accept
set schedule "always"
set nat enable
next
"Exempt list" is only available if the SSL Inspection profile is using "Deep-inspection" option
