Description
This article describes how SSL exemptions on an SSL deep Inspection profile affect web filtering behavior and how to verify it.
Scope
FortiGate.
Solution
Once a web page is accessed, FortiGuard category filtering looks for the category to rate the accessing website using a live service. FortiGate then makes decision based on the received rating information from FortiGuard network.
In the following example, the action has been set to 'Block' for all FortiGuard Categories in the web filter profile as below, and a deep inspection profile is bound to the same outbound firewall policy:
Since the CA certificate of FortiGate is already imported to the client’s web browser, the client receives the following replacement message in the browser after accessing the www.fortinet.com website. The web filter log entry below the screenshot of the replacement message is additionally generated.
Once the '*.fortinet.com' is added to the SSL exemption list, the web filtering behavior is changed.
The exemption of the Fortinet website on the SSL deep inspection profile causes FortiGate to consider the Fortinet website trusted and bypasses the existing FortiGuard category checking. Therefore, only an SSL log entry is generated.
The following is an example of accessing to www.fortinet.com website after adding the *.fortinet.com wildcard FQDN object to the SSL exemption list of the deep inspection profile:
Note:
In flow-based inspection mode, destinations that are 'Exempt from SSL Inspection' within SSL Inspection profile are also exempt from subsequent UTM inspection (covered by this KB article)
In proxy-based inspection mode, destinations that are 'Exempt from SSL Inspection' within the SSL Inspection profile are exempt from SSL deep inspection, but subsequent UTM inspection applies. In the context of this article, the website 'www.fortinet.com' will be blocked with SSL exempt if the firewall policy is set to proxy-based inspection mode with a respective proxy-based web filter profile.
