Default exemptions in the SSL deep-inspection profile

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In the default configuration for FortiOS 5.2, several FortiGuard categories and firewall addresses appear in the Exempt from SSL Inspection list. However, if you upgrade your FortiGate to 5.2 from an earlier version, these addresses are not added to your configuration unless you perform a factory reset.

If you would like to manually add some or all of these exemptions to your configuration, the screenshots below show the complete list of the exemptions and information about the firewall addresses.

The exemption list

This image shows the Exempt from SSL Inspection list from the default 5.2 configuration.

Default firewall addresses

This image shows the Firewall Address list from the default 5.2 configuration. This includes addresses that are not part of the exemption list, such as the default addresses for SSL VPN users.

CLI syntax

The following CLI commands can be used to add the firewall addresses to your FortiGate, then set them as exceptions in an SSL inspection profile.

FortiOS 5.6

In FortiOS 5.6, the default deep-inspection profile is read-only, so exemptions cannot be added to it. If you need to add exceptions, use the following commands, which include creating a new SSL inspection profile called my-deep-inspection. You will need to further configure this profile in order to use it for SSL inspection.

Syntax:

config firewall address
  edit "adobe"
    set type wildcard-fqdn
    set wildcard-fqdn "*.adobe.com"
  next
  edit "Adobe Login"
    set type wildcard-fqdn
    set wildcard-fqdn "*.adobelogin.com"
  next
  edit "android"
    set type wildcard-fqdn
    set wildcard-fqdn "*.android.com"
  next
  edit "apple"
    set type wildcard-fqdn
    set wildcard-fqdn "*.apple.com"
  next
  edit "appstore"
    set type wildcard-fqdn
    set wildcard-fqdn "*.appstore.com"
  next
  edit "auth.gfx.ms"
    set type fqdn
    set fqdn "auth.gfx.ms"
  next
  edit "autoupdate.opera.com"
    set type fqdn
    set fqdn "autoupdate.opera.com"
  next
  edit "citrix"
    set type wildcard-fqdn
    set wildcard-fqdn "*.citrixonline.com"
  next
  edit "dropbox.com"
    set type wildcard-fqdn
    set wildcard-fqdn "*.dropbox.com"
  next
  edit "eease"
    set type wildcard-fqdn
    set wildcard-fqdn "*.eease.com"
  next
  edit "firefox update server"
    set type wildcard-fqdn
    set wildcard-fqdn "aus*.mozilla.org"
  next
  edit "fortinet"
    set type wildcard-fqdn
    set wildcard-fqdn "*.fortinet.com"
  next
  edit "google-drive"
    set type wildcard-fqdn
    set wildcard-fqdn "*drive.google.com"
  next
  edit "google-play"
    set type fqdn
    set fqdn "play.google.com"
  next
  edit "google-play2"
    set type wildcard-fqdn
    set wildcard-fqdn "*.ggpht.com"
  next
  edit "google-play3"
    set type wildcard-fqdn
    set wildcard-fqdn "*.books.google.com"
  next
  edit "googleapis.com"
    set type wildcard-fqdn
    set wildcard-fqdn "*.googleapis.com"
  next
  edit "Gotomeeting"
    set type wildcard-fqdn
    set wildcard-fqdn "*.gotomeeting.com"
  next
  edit "icloud"
    set type wildcard-fqdn
    set wildcard-fqdn "*.icloud.com"
  next
  edit "itunes"
    set type wildcard-fqdn
    set wildcard-fqdn "*itunes.apple.com"
  next
  edit "microsoft"
    set type wildcard-fqdn
    set wildcard-fqdn "*.microsoft.com"
  next
  edit "skype"
    set type wildcard-fqdn
    set wildcard-fqdn "*.messenger.live.com"
  next
  edit "softwareupdate.vmware.com"
    set type fqdn
    set fqdn "softwareupdate.vmware.com"
  next
  edit "swscan.apple.com"
    set type fqdn
    set fqdn "swscan.apple.com"
  next
  edit "update.microsoft.com"
    set type fqdn
    set fqdn "update.microsoft.com"
  next
  edit "verisign"
    set type wildcard-fqdn
    set wildcard-fqdn "*.verisign.com"
  next
  edit "Windows update 2"
    set type wildcard-fqdn
    set wildcard-fqdn "*.windowsupdate.com"
  end
end

config firewall ssl-ssh-profile
  edit "my-deep-inspection"
    set comment "Deep inspection."
    config https
      set ports 443
    end
    config ftps
      set ports 990
    end
    config imaps
      set ports 993
    end
    config pop3s
      set ports 995
    end
    config smtps
      set ports 465
    end
    config ssh
      set ports 22
    end
    config ssl-exempt
      edit 1
        set type address
        set address "Adobe Login"
      next
      edit 2
        set type address
        set address "Gotomeeting"
      next
      edit 3
        set type address
        set address "Windows update 2"
      next
      edit 4
        set type address
        set address "adobe"
      next
      edit 5
        set type address
        set address "android"
      next
      edit 6
        set type address
        set address "apple"
      next
      edit 7
        set type address
        set address "appstore"
      next
      edit 8
        set type address
        set address "auth.gfx.ms"
      next
      edit 9
        set type address
        set address "autoupdate.opera.com"
      next
      edit 10
        set type address
        set address "citrix"
      next
      edit 11
        set type address
        set address "dropbox.com"
      next
      edit 12
        set type address
        set address "eease"
      next
      edit 13
        set type address
        set address "firefox update server"
      next
      edit 14
        set type address
        set address "fortinet"
      next
      edit 15
        set type address
        set address "google-drive"
      next
      edit 16
        set type address
        set address "google-play"
      next
      edit 17
        set type address
        set address "google-play2"
      next
      edit 18
        set type address
        set address "google-play3"
      next
      edit 19
        set type address
        set address "googleapis.com"
      next
      edit 20
        set type address
        set address "icloud"
      next
      edit 21
        set type address
        set address "itunes"
      next
      edit 22
        set type address
        set address "microsoft"
      next
      edit 23
        set type address
        set address "skype"
      next
      edit 24
        set type address
        set address "softwareupdate.vmware.com"
      next
      edit 25
        set type address
        set address "swscan.apple.com"
      next
      edit 26
        set type address
        set address "update.microsoft.com"
      next
      edit 27
        set type address
        set address "verisign"
      next
      edit 28
        set fortiguard-category 31
      next
      edit 29
        set fortiguard-category 33
      next
    end
 next
end

 

FortiOS 5.4

If you are using FortiOS 5.4, use the following commands to add exemptions to the deep-inspection profile.

Syntax:

config firewall address
  edit "adobe"
    set type wildcard-fqdn
    set wildcard-fqdn "*.adobe.com"
  next
  edit "Adobe Login"
    set type wildcard-fqdn
    set wildcard-fqdn "*.adobelogin.com"
  next
  edit "android"
    set type wildcard-fqdn
    set wildcard-fqdn "*.android.com"
  next
  edit "apple"
    set type wildcard-fqdn
    set wildcard-fqdn "*.apple.com"
  next
  edit "appstore"
    set type wildcard-fqdn
    set wildcard-fqdn "*.appstore.com"
  next
  edit "auth.gfx.ms"
    set type fqdn
    set fqdn "auth.gfx.ms"
  next
  edit "autoupdate.opera.com"
    set type fqdn
    set fqdn "autoupdate.opera.com"
  next
  edit "citrix"
    set type wildcard-fqdn
    set wildcard-fqdn "*.citrixonline.com"
  next
  edit "dropbox.com"
    set type wildcard-fqdn
    set wildcard-fqdn "*.dropbox.com"
  next
  edit "eease"
    set type wildcard-fqdn
    set wildcard-fqdn "*.eease.com"
  next
  edit "firefox update server"
    set type wildcard-fqdn
    set wildcard-fqdn "aus*.mozilla.org"
  next
  edit "fortinet"
    set type wildcard-fqdn
    set wildcard-fqdn "*.fortinet.com"
  next
  edit "google-drive"
    set type wildcard-fqdn
    set wildcard-fqdn "*drive.google.com"
  next
  edit "google-play"
    set type fqdn
    set fqdn "play.google.com"
  next
  edit "google-play2"
    set type wildcard-fqdn
    set wildcard-fqdn "*.ggpht.com"
  next
  edit "google-play3"
    set type wildcard-fqdn
    set wildcard-fqdn "*.books.google.com"
  next
  edit "googleapis.com"
    set type wildcard-fqdn
    set wildcard-fqdn "*.googleapis.com"
  next
  edit "Gotomeeting"
    set type wildcard-fqdn
    set wildcard-fqdn "*.gotomeeting.com"
  next
  edit "icloud"
    set type wildcard-fqdn
    set wildcard-fqdn "*.icloud.com"
  next
  edit "itunes"
    set type wildcard-fqdn
    set wildcard-fqdn "*itunes.apple.com"
  next
  edit "microsoft"
    set type wildcard-fqdn
    set wildcard-fqdn "*.microsoft.com"
  next
  edit "skype"
    set type wildcard-fqdn
    set wildcard-fqdn "*.messenger.live.com"
  next
  edit "softwareupdate.vmware.com"
    set type fqdn
    set fqdn "softwareupdate.vmware.com"
  next
  edit "swscan.apple.com"
    set type fqdn
    set fqdn "swscan.apple.com"
  next
  edit "update.microsoft.com"
    set type fqdn
    set fqdn "update.microsoft.com"
  next
  edit "verisign"
    set type wildcard-fqdn
    set wildcard-fqdn "*.verisign.com"
  next
  edit "Windows update 2"
    set type wildcard-fqdn
    set wildcard-fqdn "*.windowsupdate.com"
  end
end

config firewall ssl-ssh-profile
  edit <name>
    config ssl-exempt
      edit 0
        set type address
        set address "adobe"
      next
      edit 0
        set type address
        set address "Adobe Login"
      next      
      edit 0
        set type address
        set address "android"
      next
      edit 0
        set type address
        set address "apple"
      next
      edit 0
        set type address
        set address "appstore"
      next
      edit 0
        set type address
        set address "auth.gfx.ms"
      next
      edit 0
        set type address
        set address "autoupdate.opera.com"
      next
      edit 0
        set type address
        set address "citrix"
      next
      edit 0
        set type address
        set address "dropbox.com"
      next
      edit 0
        set type address
        set address "eease"
      next
      edit 0
        set type address
        set address "firefox update server"
      end
      edit 0
        set type address
        set address "fortinet"
      next
      edit 0
        set type address
        set address "google-drive"
      next
      edit 0
        set type address
        set address "google-play"
      next
      edit 0
        set type address
        set address "google-play2"
      next
      edit 0
        set type address
        set address "google-play3"
      next
      edit 0
        set type address
        set address "googleapis.com"
      next
      edit 0
        set type address
        set address "Gotomeeting"
      next
      edit 0
        set type address
        set address "icloud"
      next
      edit 0
        set type address
        set address "itunes"
      next
      edit 0
        set type address
        set address "microsoft"
      next
      edit 0
        set type address
        set address "skype"
      next
      edit 0
        set type address
        set address "softwareupdate.vmware.com"
      next
      edit 0
        set type address
        set address "swscan.apple.com"
      next
      edit 0
        set type address
        set address "update.microsoft.com"
      next
      edit 0
        set type address
        set address "verisign"
      next
      edit 0
        set type address
        set address "Windows update 2"
      next
    end
  end

 

FortiOS 5.2

If you are using FortiOS 5.2, use the following commands to add exemptions to the deep-inspection profile. In 5.2, FQDN that contain wildcards are only supported for use with SSL inspection.

Syntax:

config firewall address
  edit "adobe"
    set type fqdn
    set fqdn "*.adobe.com"
  next
  edit "Adobe Login"
    set type fqdn
    set fqdn "*.adobelogin.com"
  next
  edit "android"
    set type fqdn
    set fqdn "*.android.com"
  next
  edit "apple"
    set type fqdn
    set fqdn "*.apple.com"
  next
  edit "appstore"
    set type fqdn
    set fqdn "*.appstore.com"
  next
  edit "auth.gfx.ms"
    set type fqdn
    set fqdn "auth.gfx.ms"
  next
  edit "autoupdate.opera.com"
    set type fqdn
    set fqdn "autoupdate.opera.com"
  next
  edit "citrix"
    set type fqdn
    set fqdn "*.citrixonline.com"
  next
  edit "dropbox.com"
    set type fqdn
    set fqdn "*.dropbox.com"
  next
  edit "eease"
    set type fqdn
    set fqdn "*.eease.com"
  next
  edit "firefox update server"
    set type fqdn
    set fqdn "aus*.mozilla.org"
  next
  edit "fortinet"
    set type fqdn
    set fqdn "*.fortinet.com"
  next
  edit "google-drive"
    set type fqdn
    set fqdn "*drive.google.com"
  next
  edit "google-play"
    set type fqdn
    set fqdn "play.google.com"
  next
  edit "google-play2"
    set type fqdn
    set fqdn "*.ggpht.com"
  next
  edit "google-play3"
    set type fqdn
    set fqdn "*.books.google.com"
  next
  edit "googleapis.com"
    set type fqdn
    set fqdn "*.googleapis.com"
  next
  edit "Gotomeeting"
    set type fqdn
    set fqdn "*.gotomeeting.com"
  next
  edit "icloud"
    set type fqdn
    set fqdn "*.icloud.com"
  next
  edit "itunes"
    set type fqdn
    set fqdn "*itunes.apple.com"
  next
  edit "microsoft"
    set type fqdn
    set fqdn "*.microsoft.com"
  next
  edit "skype"
    set type fqdn
    set fqdn "*.messenger.live.com"
  next
  edit "softwareupdate.vmware.com"
    set type fqdn
    set fqdn "softwareupdate.vmware.com"
  next
  edit "swscan.apple.com"
    set type fqdn
    set fqdn "swscan.apple.com"
  next
  edit "update.microsoft.com"
    set type fqdn
    set fqdn "update.microsoft.com"
  next
  edit "verisign"
    set type fqdn
    set fqdn "*.verisign.com"
  next
  edit "Windows update 2"
    set type fqdn
    set fqdn "*.windowsupdate.com"
  end
end

config firewall ssl-ssh-profile
  edit deep-inspection
    config ssl-exempt
      edit 0
        set type address
        set address "adobe"
      next
      edit 0
        set type address
        set address "Adobe Login"
      next      
      edit 0
        set type address
        set address "android"
      next
      edit 0
        set type address
        set address "apple"
      next
      edit 0
        set type address
        set address "appstore"
      next
      edit 0
        set type address
        set address "auth.gfx.ms"
      next
      edit 0
        set type address
        set address "autoupdate.opera.com"
      next
      edit 0
        set type address
        set address "citrix"
      next
      edit 0
        set type address
        set address "dropbox.com"
      next
      edit 0
        set type address
        set address "eease"
      next
      edit 0
        set type address
        set address "firefox update server"
      end
      edit 0
        set type address
        set address "fortinet"
      next
      edit 0
        set type address
        set address "google-drive"
      next
      edit 0
        set type address
        set address "google-play"
      next
      edit 0
        set type address
        set address "google-play2"
      next
      edit 0
        set type address
        set address "google-play3"
      next
      edit 0
        set type address
        set address "googleapis.com"
      next
      edit 0
        set type address
        set address "Gotomeeting"
      next
      edit 0
        set type address
        set address "icloud"
      next
      edit 0
        set type address
        set address "itunes"
      next
      edit 0
        set type address
        set address "microsoft"
      next
      edit 0
        set type address
        set address "skype"
      next
      edit 0
        set type address
        set address "softwareupdate.vmware.com"
      next
      edit 0
        set type address
        set address "swscan.apple.com"
      next
      edit 0
        set type address
        set address "update.microsoft.com"
      next
      edit 0
        set type address
        set address "verisign"
      next
      edit 0
        set type address
        set address "Windows update 2"
      next
    end
  end

 

For more information about exemptions to SSL inspection, see Exempting Google from SSL inspection.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
If you create a new VDOM after upgrading your FortiGate, the exemptions will appear on the VDOM.