Troubleshooting Tip: SSL-exempt setting does not show all of the addresses in the GUI and it is not possible to add them through the GUI

tpatel · ‎03-17-2024

Description

This article describes how to resolve an issue with SSL-exempt addresses not showing up as expected in the interface.

Scope

FortiOS 7.4.3.

Solution

In the SSL inspection profile in FortiOS 7.4.3, SSL-exempt addresses added through the GUI may not show up.

Trying to add the addresses through the CLI will result in them showing up correctly in the CLI configuration, but not in the GUI.

CLI configuration:

config ssl-exempt
edit 1
set type address
set address "dmz"
next
edit 2
set type address
set address "gmail.com"
next
edit 3
set type address
set address "lan"
next
edit 4
set type address
set address "login.windows.net"
next
edit 5
set type address
set address "test"
next
edit 6
set type address
set address "wildcard.google.com"
next
edit 7
set type wildcard-fqdn
set wildcard-fqdn "skype"
next
edit 8
set fortiguard-category 33
next
edit 9
set fortiguard-category 87
next
end
next
end

FortiGate GUI interface:

To work around this issue, add the addresses in the CLI. This issue has been resolved in FortiOS version 7.4.4.