Default exemptions in the SSL deep-inspection profile

In the default configuration for FortiOS 5.2, several FortiGuard categories and firewall addresses appear in the Exempt from SSL Inspection list. However, if you upgrade your FortiGate to 5.2 from an earlier version, these addresses are not added to your configuration unless you perform a factory reset.

If you would like to manually add some or all of these exemptions to your configuration, the screenshots below show the complete list of the exemptions and information about the firewall addresses.

The exemption list

This image shows the Exempt from SSL Inspection list from the default 5.2 configuration.

Default firewall addresses

This image shows the Firewall Address list from the default 5.2 configuration. This includes addresses that are not part of the exemption list, such as the default addresses for SSL VPN users.

CLI syntax

The following CLI commands can be used to add the firewall addresses to your FortiGate, then set them as exceptions in the deep-inspection profile.

FortiOS 5.4

If you are using FortiOS 5.4, use the following commands (commands for 5.2 can be found below):

config firewall address
  edit "adobe"
    set type wildcard-fqdn
    set wildcard-fqdn "*.adobe.com"
  next
  edit "Adobe Login"
    set type wildcard-fqdn
    set wildcard-fqdn "*.adobelogin.com"
  next
  edit "android"
    set type wildcard-fqdn
    set wildcard-fqdn "*.android.com"
  next
  edit "apple"
    set type wildcard-fqdn
    set wildcard-fqdn "*.apple.com"
  next
  edit "appstore"
    set type wildcard-fqdn
    set wildcard-fqdn "*.appstore.com"
  next
  edit "auth.gfx.ms"
    set type fqdn
    set fqdn "auth.gfx.ms"
  next
  edit "autoupdate.opera.com"
    set type fqdn
    set fqdn "autoupdate.opera.com"
  next
  edit "citrix"
    set type wildcard-fqdn
    set wildcard-fqdn "*.citrixonline.com"
  next
  edit "dropbox.com"
    set type wildcard-fqdn
    set wildcard-fqdn "*.dropbox.com"
  next
  edit "eease"
    set type wildcard-fqdn
    set wildcard-fqdn "*.eease.com"
  next
  edit "firefox update server"
    set type wildcard-fqdn
    set wildcard-fqdn "aus*.mozilla.org"
  next
  edit "fortinet"
    set type wildcard-fqdn
    set wildcard-fqdn "*.fortinet.com"
  next
  edit "google-drive"
    set type wildcard-fqdn
    set wildcard-fqdn "*drive.google.com"
  next
  edit "google-play"
    set type fqdn
    set fqdn "play.google.com"
  next
  edit "google-play2"
    set type wildcard-fqdn
    set wildcard-fqdn "*.ggpht.com"
  next
  edit "google-play3"
    set type wildcard-fqdn
    set wildcard-fqdn "*.books.google.com"
  next
  edit "googleapis.com"
    set type wildcard-fqdn
    set wildcard-fqdn "*.googleapis.com"
  next
  edit "Gotomeeting"
    set type wildcard-fqdn
    set wildcard-fqdn "*.gotomeeting.com"
  next
  edit "icloud"
    set type wildcard-fqdn
    set wildcard-fqdn "*.icloud.com"
  next
  edit "itunes"
    set type wildcard-fqdn
    set wildcard-fqdn "*itunes.apple.com"
  next
  edit "microsoft"
    set type wildcard-fqdn
    set wildcard-fqdn "*.microsoft.com"
  next
  edit "skype"
    set type wildcard-fqdn
    set wildcard-fqdn "*.messenger.live.com"
  next
  edit "softwareupdate.vmware.com"
    set type fqdn
    set fqdn "softwareupdate.vmware.com"
  next
  edit "swscan.apple.com"
    set type fqdn
    set fqdn "swscan.apple.com"
  next
  edit "update.microsoft.com"
    set type fqdn
    set fqdn "update.microsoft.com"
  next
  edit "verisign"
    set type wildcard-fqdn
    set wildcard-fqdn "*.verisign.com"
  next
  edit "Windows update 2"
    set type wildcard-fqdn
    set wildcard-fqdn "*.windowsupdate.com"
  end
end

config firewall ssl-ssh-profile
  edit deep-inspection
    config ssl-exempt
      edit 0
        set type address
        set address "adobe"
      next
      edit 0
        set type address
        set address "Adobe Login"
      next      
      edit 0
        set type address
        set address "android"
      next
      edit 0
        set type address
        set address "apple"
      next
      edit 0
        set type address
        set address "appstore"
      next
      edit 0
        set type address
        set address "auth.gfx.ms"
      next
      edit 0
        set type address
        set address "autoupdate.opera.com"
      next
      edit 0
        set type address
        set address "citrix"
      next
      edit 0
        set type address
        set address "dropbox.com"
      next
      edit 0
        set type address
        set address "eease"
      next
      edit 0
        set type address
        set address "firefox update server"
      end
      edit 0
        set type address
        set address "fortinet"
      next
      edit 0
        set type address
        set address "google-drive"
      next
      edit 0
        set type address
        set address "google-play"
      next
      edit 0
        set type address
        set address "google-play2"
      next
      edit 0
        set type address
        set address "google-play3"
      next
      edit 0
        set type address
        set address "googleapis.com"
      next
      edit 0
        set type address
        set address "Gotomeeting"
      next
      edit 0
        set type address
        set address "icloud"
      next
      edit 0
        set type address
        set address "itunes"
      next
      edit 0
        set type address
        set address "microsoft"
      next
      edit 0
        set type address
        set address "skype"
      next
      edit 0
        set type address
        set address "softwareupdate.vmware.com"
      next
      edit 0
        set type address
        set address "swscan.apple.com"
      next
      edit 0
        set type address
        set address "update.microsoft.com"
      next
      edit 0
        set type address
        set address "verisign"
      next
      edit 0
        set type address
        set address "Windows update 2"
      next
    end
  end

 

FortiOS 5.2

If you are using FortiOS 5.2, use the following commands (in 5.2, FQDN that contain wildcards are only supported for use with SSL inspection):

config firewall address
  edit "adobe"
    set type fqdn
    set fqdn "*.adobe.com"
  next
  edit "Adobe Login"
    set type fqdn
    set fqdn "*.adobelogin.com"
  next
  edit "android"
    set type fqdn
    set fqdn "*.android.com"
  next
  edit "apple"
    set type fqdn
    set fqdn "*.apple.com"
  next
  edit "appstore"
    set type fqdn
    set fqdn "*.appstore.com"
  next
  edit "auth.gfx.ms"
    set type fqdn
    set fqdn "auth.gfx.ms"
  next
  edit "autoupdate.opera.com"
    set type fqdn
    set fqdn "autoupdate.opera.com"
  next
  edit "citrix"
    set type fqdn
    set fqdn "*.citrixonline.com"
  next
  edit "dropbox.com"
    set type fqdn
    set fqdn "*.dropbox.com"
  next
  edit "eease"
    set type fqdn
    set fqdn "*.eease.com"
  next
  edit "firefox update server"
    set type fqdn
    set fqdn "aus*.mozilla.org"
  next
  edit "fortinet"
    set type fqdn
    set fqdn "*.fortinet.com"
  next
  edit "google-drive"
    set type fqdn
    set fqdn "*drive.google.com"
  next
  edit "google-play"
    set type fqdn
    set fqdn "play.google.com"
  next
  edit "google-play2"
    set type fqdn
    set fqdn "*.ggpht.com"
  next
  edit "google-play3"
    set type fqdn
    set fqdn "*.books.google.com"
  next
  edit "googleapis.com"
    set type fqdn
    set fqdn "*.googleapis.com"
  next
  edit "Gotomeeting"
    set type fqdn
    set fqdn "*.gotomeeting.com"
  next
  edit "icloud"
    set type fqdn
    set fqdn "*.icloud.com"
  next
  edit "itunes"
    set type fqdn
    set fqdn "*itunes.apple.com"
  next
  edit "microsoft"
    set type fqdn
    set fqdn "*.microsoft.com"
  next
  edit "skype"
    set type fqdn
    set fqdn "*.messenger.live.com"
  next
  edit "softwareupdate.vmware.com"
    set type fqdn
    set fqdn "softwareupdate.vmware.com"
  next
  edit "swscan.apple.com"
    set type fqdn
    set fqdn "swscan.apple.com"
  next
  edit "update.microsoft.com"
    set type fqdn
    set fqdn "update.microsoft.com"
  next
  edit "verisign"
    set type fqdn
    set fqdn "*.verisign.com"
  next
  edit "Windows update 2"
    set type fqdn
    set fqdn "*.windowsupdate.com"
  end
end

config firewall ssl-ssh-profile
  edit deep-inspection
    config ssl-exempt
      edit 0
        set type address
        set address "adobe"
      next
      edit 0
        set type address
        set address "Adobe Login"
      next      
      edit 0
        set type address
        set address "android"
      next
      edit 0
        set type address
        set address "apple"
      next
      edit 0
        set type address
        set address "appstore"
      next
      edit 0
        set type address
        set address "auth.gfx.ms"
      next
      edit 0
        set type address
        set address "autoupdate.opera.com"
      next
      edit 0
        set type address
        set address "citrix"
      next
      edit 0
        set type address
        set address "dropbox.com"
      next
      edit 0
        set type address
        set address "eease"
      next
      edit 0
        set type address
        set address "firefox update server"
      end
      edit 0
        set type address
        set address "fortinet"
      next
      edit 0
        set type address
        set address "google-drive"
      next
      edit 0
        set type address
        set address "google-play"
      next
      edit 0
        set type address
        set address "google-play2"
      next
      edit 0
        set type address
        set address "google-play3"
      next
      edit 0
        set type address
        set address "googleapis.com"
      next
      edit 0
        set type address
        set address "Gotomeeting"
      next
      edit 0
        set type address
        set address "icloud"
      next
      edit 0
        set type address
        set address "itunes"
      next
      edit 0
        set type address
        set address "microsoft"
      next
      edit 0
        set type address
        set address "skype"
      next
      edit 0
        set type address
        set address "softwareupdate.vmware.com"
      next
      edit 0
        set type address
        set address "swscan.apple.com"
      next
      edit 0
        set type address
        set address "update.microsoft.com"
      next
      edit 0
        set type address
        set address "verisign"
      next
      edit 0
        set type address
        set address "Windows update 2"
      next
    end
  end

 

For more information about exemptions to SSL inspection, see Exempting Google from SSL inspection.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin
If you create a new VDOM after upgrading your FortiGate, the exemptions will appear on the VDOM.

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Joseph O’Brien

    Thanks for sharing this! Any chance you could post the relevant part of the config file? That would make it easier to add to our config.

    • Victoria Martin

      Hi Joseph,

      I will look into adding that info soon.

  • Dietmar

    Hi Victoria,
    thanks also for sharing! Are there any changes or new entries for FOS 5.4.1? (maybe about whatsapp,..)
    Kind regards,
    Dietmar

    • Victoria Martin

      Hi Dietmar,

      You can check out the 5.4.1 Release Notes, as well as the What’s New for 5.4.1 document, to see what changes/additions have been made.

      Release Notes: http://docs.fortinet.com/uploaded/files/3075/fortios-v5.4.1-release-notes.pdf

      What’s New: http://docs.fortinet.com/uploaded/files/3111/fortigate-whats-new-54.pdf

      • Dietmar

        Dear Victoria,

        thanks for your information!

        The point is that I couldn’t find a list like yours neither in those documents nor online like help.fortinet.com, kb.fortinet.com,…

        The only info that I can find is:

        “More exemptions to SSL deep inspection (267241)
        Some common sense exemptions have been added to the default SSL deep inspection profile, such as Fortinet, Android, Apple, Skype, and many more.”
        But I was not able to find the “267241” – I believe this should be a KB-article – but couldn’t find it.
        Kind regards,
        Dietmar.

        • Victoria Martin

          267241 is actually a number from an internal system that Fortinet uses to track bugs and new features, rather than a KB article. I looked it up and it appears that the feature concerns adding the same exceptions to 5.4 that were added to 5.2.

          • Dietmar

            OK. Thanks a lot Victoria for checking and informing here!
            Kind regards,
            Dietmar

  • Mike Brown

    Hey Victoria,

    I was really excited when I found this write-up. I think it will solve issues with ChromeBooks and bypassing SSL-Inspection for a long list of URLs that Google gives out. https://support.google.com/chrome/a/answer/6334001?hl=en&ref_topic=3504941

    I’m running Firmware Version v5.2.8,build727 (GA) on a 1200D.

    Unfortunately, I’m not able to run the “set type wildcard-fqdn” command.

    After I run:
    config firewall address
    edit “Example Google URL”
    set type…

    My choices are:

    ipmask IP/netmask
    iprange IP range.
    fqdn Fully qualified domain name.
    geography Country name.
    wildcard IP/wildcard-netmask
    url Match URL pattern (explicit web proxy only).

    The wildcard option is specifically for IP which leads me down the wrong path:
    config firewall address
    edit “Example Google URL”
    set type wildcard
    set wildcard ?
    Any ip and Any mask

    Thoughts?

    Thanks!
    -Mike

    • Victoria Martin

      Hi Mike,

      Thank you for your comment. There was a change to the CLI between 5.2 and 5.4 that I was not aware of, as wildcard FQDNs were added as a supported type of address in 5.4.

      In the case of 5.2, the addresses have to be added as fully qualified domain names, with an asterisk used as a wildcard. In 5.2, a FQDN firewall address with a wildcard character is only supported for use with SSL inspection.

      As an example, in 5.2 the syntax to add an entry for Adobe is as follows:

      edit “adobe”
      set type fqdn
      set fqdn “*.adobe.com”
      next

      I will be updating this page to reflect the different commands in 5.2 vs 5.4.