Technical Note: FortiGate HTTPS web URL filtering and HTTPS FortiGuard web filtering
The FortiGate can perform both HTTP and HTTPS Web URL filtering, as well as HTTPS Fortiguard Web Filtering
With HTTP Web URL Filtering, because the URL is sent in clear text between the client and the server, the Fortigate HTTP proxy can decode this data and compare it with the patterns defined in the URL filter list.
In HTTPS however, the data are conveyed encrypted and the URL names (Ex. https://www.myhttpsurl.com) will not appear in clear text in the IP packets.
The following solutions provide two methods to configure HTTPS Web URL Filtering and how to enable HTTPS Fortiguard Web Filtering
1. Web Filtering based on Certificate Name (CN)- FortiOS 3.0 and above
When enabling, in a Protection Profile, the HTTPS Web URL filtering option, the field that will be scanned by the Fortigate is the "Issued To --> Common Name (CN)" of the certificate received from the server during the SSL handshake.
Therefore the URL filter list must be based on this CN. To verify a CN of a secured HTTPS Web site, click on the locker icon in your Web browsers and then "View Certificate".
If the CN in a certificate is for example "www.myhttpswebsite.com" , the corresponding URL filter will be :
config webfilter urlfilter edit 1 config entries edit "www.myhttpswebsite.com" set action block next end set name "https filtering" next end
2. Deep scan on HTTPS traffic
This option requires models of Fortigate that have CP6 ASICs. To verify if a Fortigate has got CP6, use the CLI command :
FGT # get hardware status
[...] ASIC version: CP6 [...]
2.1. FortiOS 4.0 and 4.0MR1
Since FortiOS version 4.0, there is an option in the Protection Profile, under the section "Protocol Recognition", to select HTTPS Content Filtering Mode = "Deep scan on SSL traffic" . This will scan all HTTPS traffic and will also apply to URL filtering.
Configuration example to block any URL containing myhttpsurl :
config webfilter urlfilter edit 1 config entries edit "*myhttpsurl*" set action block set type wildcard next end set name "myhttpsurl" next end
config firewall profile edit "HTTPS URL" set https-deep-scan enable set weburlfiltertable 1 set https urlfilter next end
2.2. FortiOS 4.0MR2
In FortiOS 4.0MR2, deep-scan is enabled on the protocol options :
config firewall profile-protocol-options edit "web" config https set port 443 unset options unset post-lang set deep-scan enable end end
3 - HTTPS Fortiguard Web Filtering
This can be achieved by enabling the HTTPS option in the appropriate protection profile. The CLI command is :
config firewall profile edit <profile> set https fortiguard-wf <plus_other_options> end
A Fortiguard URL lookup can be done to verify the classification of the HTTPS Web site at :