Exempting Google from SSL inspection

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will exempt Google websites from deep SSL inspection. Exempting these websites allows the Google Chrome browser to access them without errors.

You should use caution when exempting websites. In general, you should exempt only websites that you know you can trust. You could also consider exempting websites that do not function properly when subjected to SSL inspection, such as a site (or application) that uses certificate/public key pinning.

In this example, google.ca is exempted from SSL inspection. If necessary, substitute your local Google search domain.

The full CLI configuration can be found at the end of this recipe.

Find this recipe for other FortiOS versions
5.2 | 5.6

1. Using the default deep-inspection profile

Go to System > Feature Select. Under Additional Features, make sure Multiple Security Profiles is enabled.

If necessary, Apply changes.

 

Go to Policy & Objects > IPv4 Policy and edit the policy that allows users on the internal network to access the Internet.

Under Security Profiles, enable Web Filter using the default profile. SSL/SSH Inspection is enabled by default. Set it to use the deep-inspection profile.

 

When the deep-inspection profile is used, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the sender.

For more information, see Why you should use SSL inspection.

Using Chrome, browse to google.ca. An error appears that you cannot bypass.

 

This error occurs because Chrome uses certificate pinning (also called SSL pinning or public key pinning). This allows Chrome to determine that the certificate from the website does not match one belonging to Google. Because of this, Chrome believes that a “man in the middle” attack is occurring and blocks you from the compromised website.

2. Creating an SSL/SSH profile that exempts Google

In FortiOS 5.6, the two default profiles, certificate-inspection and deep-inspection, are read-only. In order to exempt Google, you must create a new profile.

Go to Policy & Objects > Addresses and create a new address.

Set Type to Wildcard FQDN and set Wildcard FQDN to the domain name used by Google in your region (in the example, *.google.ca).

 
Go to Security Profiles > SSL/SSH Inspection and select the list view to view all profiles.
Select the deep-inspection profile, then select Clone to create a copy of this profile. This copy will have all the settings used by the default profile, while also being read-write.

Edit the new SSL profile and change its name (in the example, my-deep-inspection).

Exempt web categories and addresses are listed under Exempt from SSL Inspection. Add the address for Google to the list of exempt Addresses.

Go to Policy & Objects > IPv4 and edit the policy that allows users on the internal network to access the Internet.

Set SSL/SSH Inspection to use the new profile.

3. Results

Using Chrome, browse to google.ca. The site loads properly.  

 

CLI Syntax

The below CLI syntax is from the configuration shown above. Remember to substitute you own names/values when necessary.

config firewall address
    edit "Google Canada"
        set uuid 64b58d54-4fb2-51e7-23ee-0d067557e7ac
        set type wildcard-fqdn
        set wildcard-fqdn "*.google.ca"
    next
end

config firewall ssl-ssh-profile
    edit "my-deep-inspection"
        set comment "Deep inspection."
        config https
            set ports 443
        end
        config ftps
            set ports 990
        end
        config imaps
            set ports 993
        end
        config pop3s
            set ports 995
        end
        config smtps
            set ports 465
        end
        config ssh
            set ports 22
        end
        config ssl-exempt
            edit 1
                set type address
                set address "Adobe Login"
            next
            edit 2
                set type address
                set address "Google Canada"
            next
            edit 3
                set type address
                set address "Gotomeeting"
            next
            edit 4
                set type address
                set address "Windows update 2"
            next
            edit 5
                set type address
                set address "adobe"
            next
            edit 6
                set type address
                set address "android"
            next
            edit 7
                set type address
                set address "apple"
            next
            edit 8
                set type address
                set address "appstore"
            next
            edit 9
                set type address
                set address "auth.gfx.ms"
            next
            edit 10
                set type address
                set address "autoupdate.opera.com"
            next
            edit 11
                set type address
                set address "citrix"
            next
            edit 12
                set type address
                set address "dropbox.com"
            next
            edit 13
                set type address
                set address "eease"
            next
            edit 14
                set type address
                set address "firefox update server"
            next
            edit 15
                set type address
                set address "fortinet"
            next
            edit 16
                set type address
                set address "google-drive"
            next
            edit 17
                set type address
                set address "google-play"
            next
            edit 18
                set type address
                set address "google-play2"
            next
            edit 19
                set type address
                set address "google-play3"
            next
            edit 20
                set type address
                set address "googleapis.com"
            next
            edit 21
                set type address
                set address "icloud"
            next
            edit 22
                set type address
                set address "itunes"
            next
            edit 23
                set type address
                set address "microsoft"
            next
            edit 24
                set type address
                set address "skype"
            next
            edit 25
                set type address
                set address "softwareupdate.vmware.com"
            next
            edit 26
                set type address
                set address "swscan.apple.com"
            next
            edit 27
                set type address
                set address "update.microsoft.com"
            next
            edit 28
                set type address
                set address "verisign"
            next
            edit 29
                set fortiguard-category 31
            next
            edit 30
                set fortiguard-category 33
            next
        end
    next
end

config firewall policy
    edit 1
        set name "Internet"
        set uuid 05bbbea0-4610-51e7-289b-434738fcb746
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set webfilter-profile "default"
        set profile-protocol-options "default"
        set ssl-ssh-profile "my-deep-inspection"
        set nat enable
    next
end

For further reading, check out SSL/SSH Inspection in the FortiOS 5.6 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin
  • Was this helpful?
  • Yes   No