Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jjahanshahi
Staff
Staff

Created on ‎08-08-2016 06:24 AM Edited on ‎11-27-2022 09:17 PM By Community Manager

Article Id 198046

Technical Tip: Exempting certain categories from SSL inspection

Description

 

SSL deep-inspection is preferred in firewall policies when the data control must be very precise (ie. where Application Control or DLP is used). It is known that deep packet inspection requires more resorces to decrypt the traffic as compared to only certificate inspection, so this option is provided to exempt certain categories from deep scanning, with the main goal to lower the resource usage (memory/CPU). This is not the only reason for exempting categories.
 
Certain applications may be looking for specific certificates and will break when SSL deep-inspection is enabled. In the default deep-inspection profile, there are two predefined categories in the exempt list: 'Finance and Banking" and "Health and Welness".
 
Other categories can also be added to the list (older FortiOS versions can only perform this configuration via CLI). Categories are based on the Webfilter categories, so a webfilter license is required, as well as a good connection to the Webfilter rating servers.


Solution

 

Through the GUI, the option to exempt reputable websites is also available.
Adding additional categories to the exempt list is only one step away.
Clicking on the "+" under "Web categories" will present you the list of categories to chose from. Can either add additional categories, or remove from existing ones (highlighted):
 
AlexCFTNT_1-1669481632517.png

 

 

For the CLI setup the approach is similar.
Use this command first to obtain a list of the available categories:
 

FortiGate # get webfilter categories

  g01 Potentially Liable:
      1 Drug Abuse
      3 Hacking
      4 Illegal or Unethical
      5 Discrimination
      6 Explicit Violence
     12 Extremist Groups
     59 Proxy Avoidance

  .......
To add categories to the exempt list, for example to add "Business" to the default ones 31, 33, we first note down the corresponding number for "Business" from the list above - 49:
FortiGate (custom-deep-insp~ion) # show
config firewall ssl-ssh-profile

(...)

   config ssl-exempt

(...)

       edit 25
           set fortiguard-category 31
       next
       edit 26
           set fortiguard-category 33
       next

(...)

end

FortiGate (custom-deep-insp~ion) # config ssl-exempt

FortiGate (ssl-exempt) # edit 0

new entry '0' added

FortiGate (0) # set fortiguard-category 49

FortiGate (0) # end

The result:
AlexCFTNT_2-1669482459060.png

 

FortiGate # show firewall ssl-ssh-profile custom-deep-inspection

(...)

    edit 27
       set fortiguard-category 49
    next
    edit 28
       set fortiguard-category 31
    next
    edit 29
       set fortiguard-category 33
    next
  end
next

 

If the requirement is to only exempt a few sites instead of entire categories, this can be achieved by entering these sites under the 'Addresses' in the same SSL-SSH profile. This operation is achieved easier through GUI. However, managing a large number of addresses can be better done through web filter override categories. 
Labels:
2209
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.