Default exemptions in the SSL deep-inspection profile

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In the default configuration for FortiOS 5.2, several FortiGuard categories and firewall addresses appear in the Exempt from SSL Inspection list. However, if you upgrade your FortiGate to 5.2 from an earlier version, these addresses are not added to your configuration unless you perform a factory reset.

If you would like to manually add some or all of these exemptions to your configuration, the screenshots below show the complete list of the exemptions and information about the firewall addresses.

The exemption list

This image shows the Exempt from SSL Inspection list from the default 5.2 configuration.

Default firewall addresses

This image shows the Firewall Address list from the default 5.2 configuration. This includes addresses that are not part of the exemption list, such as the default addresses for SSL VPN users.

CLI syntax

The following CLI commands can be used to add the firewall addresses to your FortiGate, then set them as exceptions in an SSL inspection profile.

FortiOS 5.6

In FortiOS 5.6, the default deep-inspection profile is read-only, so exemptions cannot be added to it. If you need to add exceptions, use the following commands, which include creating a new SSL inspection profile called my-deep-inspection. You will need to further configure this profile in order to use it for SSL inspection.

Syntax:

config firewall address
  edit "adobe"
    set type wildcard-fqdn
    set wildcard-fqdn "*.adobe.com"
  next
  edit "Adobe Login"
    set type wildcard-fqdn
    set wildcard-fqdn "*.adobelogin.com"
  next
  edit "android"
    set type wildcard-fqdn
    set wildcard-fqdn "*.android.com"
  next
  edit "apple"
    set type wildcard-fqdn
    set wildcard-fqdn "*.apple.com"
  next
  edit "appstore"
    set type wildcard-fqdn
    set wildcard-fqdn "*.appstore.com"
  next
  edit "auth.gfx.ms"
    set type fqdn
    set fqdn "auth.gfx.ms"
  next
  edit "autoupdate.opera.com"
    set type fqdn
    set fqdn "autoupdate.opera.com"
  next
  edit "citrix"
    set type wildcard-fqdn
    set wildcard-fqdn "*.citrixonline.com"
  next
  edit "dropbox.com"
    set type wildcard-fqdn
    set wildcard-fqdn "*.dropbox.com"
  next
  edit "eease"
    set type wildcard-fqdn
    set wildcard-fqdn "*.eease.com"
  next
  edit "firefox update server"
    set type wildcard-fqdn
    set wildcard-fqdn "aus*.mozilla.org"
  next
  edit "fortinet"
    set type wildcard-fqdn
    set wildcard-fqdn "*.fortinet.com"
  next
  edit "google-drive"
    set type wildcard-fqdn
    set wildcard-fqdn "*drive.google.com"
  next
  edit "google-play"
    set type fqdn
    set fqdn "play.google.com"
  next
  edit "google-play2"
    set type wildcard-fqdn
    set wildcard-fqdn "*.ggpht.com"
  next
  edit "google-play3"
    set type wildcard-fqdn
    set wildcard-fqdn "*.books.google.com"
  next
  edit "googleapis.com"
    set type wildcard-fqdn
    set wildcard-fqdn "*.googleapis.com"
  next
  edit "Gotomeeting"
    set type wildcard-fqdn
    set wildcard-fqdn "*.gotomeeting.com"
  next
  edit "icloud"
    set type wildcard-fqdn
    set wildcard-fqdn "*.icloud.com"
  next
  edit "itunes"
    set type wildcard-fqdn
    set wildcard-fqdn "*itunes.apple.com"
  next
  edit "microsoft"
    set type wildcard-fqdn
    set wildcard-fqdn "*.microsoft.com"
  next
  edit "skype"
    set type wildcard-fqdn
    set wildcard-fqdn "*.messenger.live.com"
  next
  edit "softwareupdate.vmware.com"
    set type fqdn
    set fqdn "softwareupdate.vmware.com"
  next
  edit "swscan.apple.com"
    set type fqdn
    set fqdn "swscan.apple.com"
  next
  edit "update.microsoft.com"
    set type fqdn
    set fqdn "update.microsoft.com"
  next
  edit "verisign"
    set type wildcard-fqdn
    set wildcard-fqdn "*.verisign.com"
  next
  edit "Windows update 2"
    set type wildcard-fqdn
    set wildcard-fqdn "*.windowsupdate.com"
  end
end

config firewall ssl-ssh-profile
  edit "my-deep-inspection"
    set comment "Deep inspection."
    config https
      set ports 443
    end
    config ftps
      set ports 990
    end
    config imaps
      set ports 993
    end
    config pop3s
      set ports 995
    end
    config smtps
      set ports 465
    end
    config ssh
      set ports 22
    end
    config ssl-exempt
      edit 1
        set type address
        set address "Adobe Login"
      next
      edit 2
        set type address
        set address "Gotomeeting"
      next
      edit 3
        set type address
        set address "Windows update 2"
      next
      edit 4
        set type address
        set address "adobe"
      next
      edit 5
        set type address
        set address "android"
      next
      edit 6
        set type address
        set address "apple"
      next
      edit 7
        set type address
        set address "appstore"
      next
      edit 8
        set type address
        set address "auth.gfx.ms"
      next
      edit 9
        set type address
        set address "autoupdate.opera.com"
      next
      edit 10
        set type address
        set address "citrix"
      next
      edit 11
        set type address
        set address "dropbox.com"
      next
      edit 12
        set type address
        set address "eease"
      next
      edit 13
        set type address
        set address "firefox update server"
      next
      edit 14
        set type address
        set address "fortinet"
      next
      edit 15
        set type address
        set address "google-drive"
      next
      edit 16
        set type address
        set address "google-play"
      next
      edit 17
        set type address
        set address "google-play2"
      next
      edit 18
        set type address
        set address "google-play3"
      next
      edit 19
        set type address
        set address "googleapis.com"
      next
      edit 20
        set type address
        set address "icloud"
      next
      edit 21
        set type address
        set address "itunes"
      next
      edit 22
        set type address
        set address "microsoft"
      next
      edit 23
        set type address
        set address "skype"
      next
      edit 24
        set type address
        set address "softwareupdate.vmware.com"
      next
      edit 25
        set type address
        set address "swscan.apple.com"
      next
      edit 26
        set type address
        set address "update.microsoft.com"
      next
      edit 27
        set type address
        set address "verisign"
      next
      edit 28
        set fortiguard-category 31
      next
      edit 29
        set fortiguard-category 33
      next
    end
 next
end

 

FortiOS 5.4

If you are using FortiOS 5.4, use the following commands to add exemptions to the deep-inspection profile.

Syntax:

config firewall address
  edit "adobe"
    set type wildcard-fqdn
    set wildcard-fqdn "*.adobe.com"
  next
  edit "Adobe Login"
    set type wildcard-fqdn
    set wildcard-fqdn "*.adobelogin.com"
  next
  edit "android"
    set type wildcard-fqdn
    set wildcard-fqdn "*.android.com"
  next
  edit "apple"
    set type wildcard-fqdn
    set wildcard-fqdn "*.apple.com"
  next
  edit "appstore"
    set type wildcard-fqdn
    set wildcard-fqdn "*.appstore.com"
  next
  edit "auth.gfx.ms"
    set type fqdn
    set fqdn "auth.gfx.ms"
  next
  edit "autoupdate.opera.com"
    set type fqdn
    set fqdn "autoupdate.opera.com"
  next
  edit "citrix"
    set type wildcard-fqdn
    set wildcard-fqdn "*.citrixonline.com"
  next
  edit "dropbox.com"
    set type wildcard-fqdn
    set wildcard-fqdn "*.dropbox.com"
  next
  edit "eease"
    set type wildcard-fqdn
    set wildcard-fqdn "*.eease.com"
  next
  edit "firefox update server"
    set type wildcard-fqdn
    set wildcard-fqdn "aus*.mozilla.org"
  next
  edit "fortinet"
    set type wildcard-fqdn
    set wildcard-fqdn "*.fortinet.com"
  next
  edit "google-drive"
    set type wildcard-fqdn
    set wildcard-fqdn "*drive.google.com"
  next
  edit "google-play"
    set type fqdn
    set fqdn "play.google.com"
  next
  edit "google-play2"
    set type wildcard-fqdn
    set wildcard-fqdn "*.ggpht.com"
  next
  edit "google-play3"
    set type wildcard-fqdn
    set wildcard-fqdn "*.books.google.com"
  next
  edit "googleapis.com"
    set type wildcard-fqdn
    set wildcard-fqdn "*.googleapis.com"
  next
  edit "Gotomeeting"
    set type wildcard-fqdn
    set wildcard-fqdn "*.gotomeeting.com"
  next
  edit "icloud"
    set type wildcard-fqdn
    set wildcard-fqdn "*.icloud.com"
  next
  edit "itunes"
    set type wildcard-fqdn
    set wildcard-fqdn "*itunes.apple.com"
  next
  edit "microsoft"
    set type wildcard-fqdn
    set wildcard-fqdn "*.microsoft.com"
  next
  edit "skype"
    set type wildcard-fqdn
    set wildcard-fqdn "*.messenger.live.com"
  next
  edit "softwareupdate.vmware.com"
    set type fqdn
    set fqdn "softwareupdate.vmware.com"
  next
  edit "swscan.apple.com"
    set type fqdn
    set fqdn "swscan.apple.com"
  next
  edit "update.microsoft.com"
    set type fqdn
    set fqdn "update.microsoft.com"
  next
  edit "verisign"
    set type wildcard-fqdn
    set wildcard-fqdn "*.verisign.com"
  next
  edit "Windows update 2"
    set type wildcard-fqdn
    set wildcard-fqdn "*.windowsupdate.com"
  end
end

config firewall ssl-ssh-profile
  edit <name>
    config ssl-exempt
      edit 0
        set type address
        set address "adobe"
      next
      edit 0
        set type address
        set address "Adobe Login"
      next      
      edit 0
        set type address
        set address "android"
      next
      edit 0
        set type address
        set address "apple"
      next
      edit 0
        set type address
        set address "appstore"
      next
      edit 0
        set type address
        set address "auth.gfx.ms"
      next
      edit 0
        set type address
        set address "autoupdate.opera.com"
      next
      edit 0
        set type address
        set address "citrix"
      next
      edit 0
        set type address
        set address "dropbox.com"
      next
      edit 0
        set type address
        set address "eease"
      next
      edit 0
        set type address
        set address "firefox update server"
      end
      edit 0
        set type address
        set address "fortinet"
      next
      edit 0
        set type address
        set address "google-drive"
      next
      edit 0
        set type address
        set address "google-play"
      next
      edit 0
        set type address
        set address "google-play2"
      next
      edit 0
        set type address
        set address "google-play3"
      next
      edit 0
        set type address
        set address "googleapis.com"
      next
      edit 0
        set type address
        set address "Gotomeeting"
      next
      edit 0
        set type address
        set address "icloud"
      next
      edit 0
        set type address
        set address "itunes"
      next
      edit 0
        set type address
        set address "microsoft"
      next
      edit 0
        set type address
        set address "skype"
      next
      edit 0
        set type address
        set address "softwareupdate.vmware.com"
      next
      edit 0
        set type address
        set address "swscan.apple.com"
      next
      edit 0
        set type address
        set address "update.microsoft.com"
      next
      edit 0
        set type address
        set address "verisign"
      next
      edit 0
        set type address
        set address "Windows update 2"
      next
    end
  end

 

FortiOS 5.2

If you are using FortiOS 5.2, use the following commands to add exemptions to the deep-inspection profile. In 5.2, FQDN that contain wildcards are only supported for use with SSL inspection.

Syntax:

config firewall address
  edit "adobe"
    set type fqdn
    set fqdn "*.adobe.com"
  next
  edit "Adobe Login"
    set type fqdn
    set fqdn "*.adobelogin.com"
  next
  edit "android"
    set type fqdn
    set fqdn "*.android.com"
  next
  edit "apple"
    set type fqdn
    set fqdn "*.apple.com"
  next
  edit "appstore"
    set type fqdn
    set fqdn "*.appstore.com"
  next
  edit "auth.gfx.ms"
    set type fqdn
    set fqdn "auth.gfx.ms"
  next
  edit "autoupdate.opera.com"
    set type fqdn
    set fqdn "autoupdate.opera.com"
  next
  edit "citrix"
    set type fqdn
    set fqdn "*.citrixonline.com"
  next
  edit "dropbox.com"
    set type fqdn
    set fqdn "*.dropbox.com"
  next
  edit "eease"
    set type fqdn
    set fqdn "*.eease.com"
  next
  edit "firefox update server"
    set type fqdn
    set fqdn "aus*.mozilla.org"
  next
  edit "fortinet"
    set type fqdn
    set fqdn "*.fortinet.com"
  next
  edit "google-drive"
    set type fqdn
    set fqdn "*drive.google.com"
  next
  edit "google-play"
    set type fqdn
    set fqdn "play.google.com"
  next
  edit "google-play2"
    set type fqdn
    set fqdn "*.ggpht.com"
  next
  edit "google-play3"
    set type fqdn
    set fqdn "*.books.google.com"
  next
  edit "googleapis.com"
    set type fqdn
    set fqdn "*.googleapis.com"
  next
  edit "Gotomeeting"
    set type fqdn
    set fqdn "*.gotomeeting.com"
  next
  edit "icloud"
    set type fqdn
    set fqdn "*.icloud.com"
  next
  edit "itunes"
    set type fqdn
    set fqdn "*itunes.apple.com"
  next
  edit "microsoft"
    set type fqdn
    set fqdn "*.microsoft.com"
  next
  edit "skype"
    set type fqdn
    set fqdn "*.messenger.live.com"
  next
  edit "softwareupdate.vmware.com"
    set type fqdn
    set fqdn "softwareupdate.vmware.com"
  next
  edit "swscan.apple.com"
    set type fqdn
    set fqdn "swscan.apple.com"
  next
  edit "update.microsoft.com"
    set type fqdn
    set fqdn "update.microsoft.com"
  next
  edit "verisign"
    set type fqdn
    set fqdn "*.verisign.com"
  next
  edit "Windows update 2"
    set type fqdn
    set fqdn "*.windowsupdate.com"
  end
end

config firewall ssl-ssh-profile
  edit deep-inspection
    config ssl-exempt
      edit 0
        set type address
        set address "adobe"
      next
      edit 0
        set type address
        set address "Adobe Login"
      next      
      edit 0
        set type address
        set address "android"
      next
      edit 0
        set type address
        set address "apple"
      next
      edit 0
        set type address
        set address "appstore"
      next
      edit 0
        set type address
        set address "auth.gfx.ms"
      next
      edit 0
        set type address
        set address "autoupdate.opera.com"
      next
      edit 0
        set type address
        set address "citrix"
      next
      edit 0
        set type address
        set address "dropbox.com"
      next
      edit 0
        set type address
        set address "eease"
      next
      edit 0
        set type address
        set address "firefox update server"
      end
      edit 0
        set type address
        set address "fortinet"
      next
      edit 0
        set type address
        set address "google-drive"
      next
      edit 0
        set type address
        set address "google-play"
      next
      edit 0
        set type address
        set address "google-play2"
      next
      edit 0
        set type address
        set address "google-play3"
      next
      edit 0
        set type address
        set address "googleapis.com"
      next
      edit 0
        set type address
        set address "Gotomeeting"
      next
      edit 0
        set type address
        set address "icloud"
      next
      edit 0
        set type address
        set address "itunes"
      next
      edit 0
        set type address
        set address "microsoft"
      next
      edit 0
        set type address
        set address "skype"
      next
      edit 0
        set type address
        set address "softwareupdate.vmware.com"
      next
      edit 0
        set type address
        set address "swscan.apple.com"
      next
      edit 0
        set type address
        set address "update.microsoft.com"
      next
      edit 0
        set type address
        set address "verisign"
      next
      edit 0
        set type address
        set address "Windows update 2"
      next
    end
  end

 

For more information about exemptions to SSL inspection, see Exempting Google from SSL inspection.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
If you create a new VDOM after upgrading your FortiGate, the exemptions will appear on the VDOM.
  • Nishit Patel

    Hi Victoria,

    We added some sites in the ssl exception list & also white listed in the web filter category for an app that runs in kiosk mode on chromebooks. But after user hit “Start” to begin testing a circle keeps spinning and not going further. But when we change it to use certificate-inspection instead of deep-inspection it goes all the way. The version is 5.2.10. Any thoughts on this? Thanks.

  • Mike Brown

    Hey Victoria,

    I was really excited when I found this write-up. I think it will solve issues with ChromeBooks and bypassing SSL-Inspection for a long list of URLs that Google gives out. https://support.google.com/chrome/a/answer/6334001?hl=en&ref_topic=3504941

    I’m running Firmware Version v5.2.8,build727 (GA) on a 1200D.

    Unfortunately, I’m not able to run the “set type wildcard-fqdn” command.

    After I run:
    config firewall address
    edit “Example Google URL”
    set type…

    My choices are:

    ipmask IP/netmask
    iprange IP range.
    fqdn Fully qualified domain name.
    geography Country name.
    wildcard IP/wildcard-netmask
    url Match URL pattern (explicit web proxy only).

    The wildcard option is specifically for IP which leads me down the wrong path:
    config firewall address
    edit “Example Google URL”
    set type wildcard
    set wildcard ?
    Any ip and Any mask

    Thoughts?

    Thanks!
    -Mike

    • Victoria Martin

      Hi Mike,

      Thank you for your comment. There was a change to the CLI between 5.2 and 5.4 that I was not aware of, as wildcard FQDNs were added as a supported type of address in 5.4.

      In the case of 5.2, the addresses have to be added as fully qualified domain names, with an asterisk used as a wildcard. In 5.2, a FQDN firewall address with a wildcard character is only supported for use with SSL inspection.

      As an example, in 5.2 the syntax to add an entry for Adobe is as follows:

      edit “adobe”
      set type fqdn
      set fqdn “*.adobe.com”
      next

      I will be updating this page to reflect the different commands in 5.2 vs 5.4.

  • Dietmar

    Hi Victoria,
    thanks also for sharing! Are there any changes or new entries for FOS 5.4.1? (maybe about whatsapp,..)
    Kind regards,
    Dietmar

    • Victoria Martin

      Hi Dietmar,

      You can check out the 5.4.1 Release Notes, as well as the What’s New for 5.4.1 document, to see what changes/additions have been made.

      Release Notes: http://docs.fortinet.com/uploaded/files/3075/fortios-v5.4.1-release-notes.pdf

      What’s New: http://docs.fortinet.com/uploaded/files/3111/fortigate-whats-new-54.pdf

      • Dietmar

        Dear Victoria,

        thanks for your information!

        The point is that I couldn’t find a list like yours neither in those documents nor online like help.fortinet.com, kb.fortinet.com,…

        The only info that I can find is:

        “More exemptions to SSL deep inspection (267241)
        Some common sense exemptions have been added to the default SSL deep inspection profile, such as Fortinet, Android, Apple, Skype, and many more.”
        But I was not able to find the “267241” – I believe this should be a KB-article – but couldn’t find it.
        Kind regards,
        Dietmar.

        • Victoria Martin

          267241 is actually a number from an internal system that Fortinet uses to track bugs and new features, rather than a KB article. I looked it up and it appears that the feature concerns adding the same exceptions to 5.4 that were added to 5.2.

          • Dietmar

            OK. Thanks a lot Victoria for checking and informing here!
            Kind regards,
            Dietmar

  • Joseph O’Brien

    Thanks for sharing this! Any chance you could post the relevant part of the config file? That would make it easier to add to our config.

    • Victoria Martin

      Hi Joseph,

      I will look into adding that info soon.