In this recipe, you will exempt Google websites from deep SSL inspection. Exempting these websites allows the Google Chrome browser to access them without errors.
You should use caution when exempting websites. In general, you should exempt only websites that you know you can trust. You could also consider exempting websites that do not function properly when subjected to SSL inspection, such as a site (or application) that uses certificate/public key pinning.
In this example, google.ca is exempted from SSL inspection. If necessary, substitute your local Google search domain.
Find this recipe for other FortiOS versions
5.2 | 5.6
1. Using the default deep-inspection profile |
|
|
Go to System > Feature Select. Under Additional Features, make sure Multiple Security Profiles is enabled. If necessary, Apply changes. |
 |
|
Go to Policy & Objects > IPv4 Policy and edit the policy that allows users on the internal network to access the Internet. Under Security Profiles, enable Web Filter using the default profile. SSL/SSH Inspection is enabled by default. Set it to use the deep-inspection profile. |
 |
|
When the deep-inspection profile is used, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the sender. For more information, see Why you should use SSL inspection. |
|
|
Using Chrome, browse to google.ca. An error appears that you cannot bypass. |
 |
|
This error occurs because Chrome uses certificate pinning (also called SSL pinning or public key pinning). This allows Chrome to determine that the certificate from the website does not match one belonging to Google. Because of this, Chrome believes that a “man in the middle” attack is occurring and blocks you from the compromised website. |
|
2. Creating an SSL/SSH profile that exempts Google |
|
|
In FortiOS 5.6, the two default profiles, certificate-inspection and deep-inspection, are read-only. In order to exempt Google, you must create a new profile. |
|
|
Go to Policy & Objects > Addresses and create a new address. Set Type to Wildcard FQDN and set Wildcard FQDN to the domain name used by Google in your region (in the example, *.google.ca). |
 |
| Go to Policy & Objects > SSL/SSH Inspection and select the list view to view all profiles. |  |
| Select the deep-inspection profile, then select Clone to create a copy of this profile. This copy will have all the settings used by the default profile, while also being read-write. |  |
|
Edit the new SSL profile and change its name (in the example, my-deep-inspection). Exempt web categories and addresses are listed under Exempt from SSL Inspection. Add the address for Google to the list of exempt Addresses. |
 |
|
Go to Policy & Objects > IPv4 and edit the policy that allows users on the internal network to access the Internet. Set SSL/SSH Inspection to use the new profile. |
 |
3. Results |
|
| Using Chrome, browse to google.ca. The site loads properly. |  |
For further reading, check out SSL/SSH Inspection in the FortiOS 5.6 Handbook.
The post Exempting Google from SSL inspection appeared first on Fortinet Cookbook.