In this recipe, you will exempt Google websites from deep SSL inspection. Exempting these websites allows the Google Chrome browser to access them without errors.
You should use caution when exempting websites. In general, you should exempt only websites that you know you can trust. You could also consider exempting websites that do not function properly when subjected to SSL inspection, such as a site (or application) that uses certificate/public key pinning.
In this example, google.ca is exempted from SSL inspection. If necessary, substitute your local Google search domain.
The full CLI configuration can be found at the end of this recipe.
Find this recipe for other FortiOS versions
5.2 | 5.6
1. Using the default deep-inspection profile |
|
|
Go to System > Feature Select. Under Additional Features, make sure Multiple Security Profiles is enabled. If necessary, Apply changes. |
 |
|
Go to Policy & Objects > IPv4 Policy and edit the policy that allows users on the internal network to access the Internet. Under Security Profiles, enable Web Filter using the default profile. SSL/SSH Inspection is enabled by default. Set it to use the deep-inspection profile. |
 |
|
When the deep-inspection profile is used, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the sender. For more information, see Why you should use SSL inspection. |
|
|
Using Chrome, browse to google.ca. An error appears that you cannot bypass. |
 |
|
This error occurs because Chrome uses certificate pinning (also called SSL pinning or public key pinning). This allows Chrome to determine that the certificate from the website does not match one belonging to Google. Because of this, Chrome believes that a “man in the middle” attack is occurring and blocks you from the compromised website. |
|
2. Creating an SSL/SSH profile that exempts Google |
|
|
In FortiOS 5.6, the two default profiles, certificate-inspection and deep-inspection, are read-only. In order to exempt Google, you must create a new profile. |
|
|
Go to Policy & Objects > Addresses and create a new address. Set Type to Wildcard FQDN and set Wildcard FQDN to the domain name used by Google in your region (in the example, *.google.ca). |
 |
| Go to Security Profiles > SSL/SSH Inspection and select the list view to view all profiles. |  |
| Select the deep-inspection profile, then select Clone to create a copy of this profile. This copy will have all the settings used by the default profile, while also being read-write. |  |
|
Edit the new SSL profile and change its name (in the example, my-deep-inspection). Exempt web categories and addresses are listed under Exempt from SSL Inspection. Add the address for Google to the list of exempt Addresses. |
 |
|
Go to Policy & Objects > IPv4 and edit the policy that allows users on the internal network to access the Internet. Set SSL/SSH Inspection to use the new profile. |
 |
3. Results |
|
| Using Chrome, browse to google.ca. The site loads properly. |  |
CLI Syntax
The below CLI syntax is from the configuration shown above. Remember to substitute you own names/values when necessary.
config firewall address
edit "Google Canada"
set uuid 64b58d54-4fb2-51e7-23ee-0d067557e7ac
set type wildcard-fqdn
set wildcard-fqdn "*.google.ca"
next
end
config firewall ssl-ssh-profile
edit "my-deep-inspection"
set comment "Deep inspection."
config https
set ports 443
end
config ftps
set ports 990
end
config imaps
set ports 993
end
config pop3s
set ports 995
end
config smtps
set ports 465
end
config ssh
set ports 22
end
config ssl-exempt
edit 1
set type address
set address "Adobe Login"
next
edit 2
set type address
set address "Google Canada"
next
edit 3
set type address
set address "Gotomeeting"
next
edit 4
set type address
set address "Windows update 2"
next
edit 5
set type address
set address "adobe"
next
edit 6
set type address
set address "android"
next
edit 7
set type address
set address "apple"
next
edit 8
set type address
set address "appstore"
next
edit 9
set type address
set address "auth.gfx.ms"
next
edit 10
set type address
set address "autoupdate.opera.com"
next
edit 11
set type address
set address "citrix"
next
edit 12
set type address
set address "dropbox.com"
next
edit 13
set type address
set address "eease"
next
edit 14
set type address
set address "firefox update server"
next
edit 15
set type address
set address "fortinet"
next
edit 16
set type address
set address "google-drive"
next
edit 17
set type address
set address "google-play"
next
edit 18
set type address
set address "google-play2"
next
edit 19
set type address
set address "google-play3"
next
edit 20
set type address
set address "googleapis.com"
next
edit 21
set type address
set address "icloud"
next
edit 22
set type address
set address "itunes"
next
edit 23
set type address
set address "microsoft"
next
edit 24
set type address
set address "skype"
next
edit 25
set type address
set address "softwareupdate.vmware.com"
next
edit 26
set type address
set address "swscan.apple.com"
next
edit 27
set type address
set address "update.microsoft.com"
next
edit 28
set type address
set address "verisign"
next
edit 29
set fortiguard-category 31
next
edit 30
set fortiguard-category 33
next
end
next
end
config firewall policy
edit 1
set name "Internet"
set uuid 05bbbea0-4610-51e7-289b-434738fcb746
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set webfilter-profile "default"
set profile-protocol-options "default"
set ssl-ssh-profile "my-deep-inspection"
set nat enable
next
end
For further reading, check out SSL/SSH Inspection in the FortiOS 5.6 Handbook.
The post Exempting Google from SSL inspection appeared first on Fortinet Cookbook.