Technical Note: FortiGate HTTPS web URL filtering and HTTPS FortiGuard web filtering
Products
FortiGate
Description
The FortiGate can perform both HTTP and HTTPS Web URL filtering, as well as HTTPS Fortiguard Web Filtering

With HTTP Web URL Filtering, because the URL is sent in clear text between the client and the server, the Fortigate HTTP proxy can decode this data and compare it with the patterns defined in the URL filter list.

In HTTPS however, the data are conveyed encrypted and the URL names (Ex. https://www.myhttpsurl.com) will not appear in clear text in the IP packets.
Solution
The following solutions provide two methods to configure HTTPS Web URL Filtering and how to enable HTTPS Fortiguard Web Filtering


1.  Web Filtering based on Certificate Name (CN) - FortiOS 3.0 and above

When enabling, in a Protection Profile, the HTTPS Web URL filtering option, the field that will be scanned by the Fortigate is the "Issued To --> Common Name (CN)" of the certificate received from the server during the SSL handshake.

Therefore the URL filter list must be based on this CN.
To verify a CN of a secured HTTPS Web site, click on the locker icon in your Web browsers and then "View Certificate".

If the CN in a certificate is for example "www.myhttpswebsite.com" , the corresponding URL filter will be :

config webfilter urlfilter
    edit 1
             config entries
                edit "www.myhttpswebsite.com"
                  set action block
                  next
                end
        set name "https filtering"
    next
end


2.   Deep scan on HTTPS traffic


This option requires models of Fortigate that have CP6 ASICs. To verify if a Fortigate has got CP6, use the CLI command :

FGT # get hardware status
[...]
ASIC version: CP6
[...]




2.1.  FortiOS 4.0 and 4.0MR1


Since FortiOS version 4.0, there is an option in the Protection Profile, under the section "Protocol Recognition", to select  HTTPS Content Filtering Mode  =  "Deep scan on SSL traffic" . This will scan all HTTPS traffic and will also apply to URL filtering.

Configuration example to block any URL containing myhttpsurl :


config webfilter urlfilter

   edit 1
     config entries
      edit "*myhttpsurl*"
      set action block
      set type wildcard
    next
   end
  set name "myhttpsurl"
  next
end


config firewall profile
   edit "HTTPS URL"
   set https-deep-scan enable
   set weburlfiltertable 1
   set https urlfilter
   next
end




2.2.  FortiOS 4.0MR2

In FortiOS 4.0MR2, deep-scan is enabled on the protocol options :

config firewall profile-protocol-options
    edit "web"
            config https
                set port 443
                unset options
                unset post-lang
                set deep-scan enable
            end
    end



3 - HTTPS Fortiguard Web Filtering

This can be achieved by enabling the HTTPS option in the appropriate protection profile.
The CLI command is :

config firewall profile
    edit <profile>
    set https fortiguard-wf   <plus_other_options>
end


A Fortiguard URL lookup can be done to verify the classification of the
HTTPS Web site at :

http://www.fortiguard.com/webfiltering/webfiltering.html#urllookup

Example of
Fortiguard Web Filtering URL Lookup result :

The URL https://www.myhttpsurl.com/ is rated in FortiGuard Web Filtering 2.0, as
  • Category: Proxy Avoidance






Related Articles
Feature description of v4.0 SSL content scanning
Technical Tip: How to enable Deep Content Inspection
Technical Note : Configuring FortiGate Protocol Recognition to scan traffic on non-standard port - FortiOS 4.0 and above
Technical Note : Importing the FortiGate SSL Proxy certificate in Internet Explorer 8 (IE8) for decryption on SSL Inspection
Last Modified Date: 03-17-2014 Document ID: FD31710