FortiGate – How to block Https Web contents without deep-ssl-inspection

glitchlist Blog Leave a Comment

DEEP-SSL-INSPECTION is used when I want to decrypt and encrypt on-the-fly all the incoming or outgoing traffic in my firewall to find fingerprints of an attack or dangerous traffic. This type of inspection is very heavy for the CPU of the firewall and must be used with limitations.

If we want to inspect the SSL web browsing we must to be able to read the contents of the encrypted packets without impacting the overall security infrastructure. In this case, the CERT-SSL-INSPECTION feature helps. It is able to intercept SSL handshakes and read the certificate’s CN part in which there is the URL of the domain being contacted. Once this data is obtained it is possible to compare it with web filtering blacklist and eventually block the traffic.

To make me understand better if we sniff with Wireshark an HTTP session and HTTPS session we will discover that in HTTP we can read all the data in the TCP payload such as the URL contacted or all the GETs we can send to the web server. In HTTPS once the SSL handshake is completed and the SSL / TLS session is established, we will no longer be able to read the payload content.

To enable SSL Certificate Inspection do the following:

  • Enter in the Security Profiles configuration of your FortiGate
  • Click on SSL/SSH inspection and configure a NEW SSL/SSH Inspection Profile like this:
  • Once the new inspection profile is created, apply it to the web browsing policy:

Now HTTP and HTTPS traffic is inspected and your FortiGate is happy!

.glitchlist crew

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.