Exempting Google from SSL inspection

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will exempt Google Canada websites from deep SSL inspection. Exempting these websites allows the Chrome browser to access them without errors. 

You should use caution when exempting websites. In general, it is recommended that you only exempt website that you know you can trust. Another reason for doing this is to exempt websites that do not function properly when subjected to SSL inspection, such as a site (or application) that uses certificate/public key pinning.

In this example, google.ca is exempted from SSL inspection. If necessary, substitute your local Google search domain.

 

Find this recipe for other FortiOS versions
5.2 | 5.6

1. Using the deep-inspection profile

Go to Policy & Objects > Policy > SSL/SSH Inspection and view the deep-inspection profile.

By default, this profile includes a number of web categories and addresses that are listed under Exempt from SSL Inspection. Currently, google.ca is not included.

 
Go to Policy & Objects > Policy > IPv4 and make sure the policy allowing connections from the internal network to the Internet uses the deep-inspection profile for SSL Inspection. For SSL inspection to be applied to traffic, make sure both Web Filter and Application Control are turned on in the policy.  

Using Google Chrome, browse to google.ca. An error appears that you cannot bypass.

This occurs because Chrome uses certificate pinning (also called SSL pinning or public key pinning). This allows Chrome to determine that, because full SSL inspection is being used, the certificate from the website does not match one belonging to Google (instead it is the certificate that the SSL inspection profile is using for SSL inspection). Because of this, Chrome believes that a “man in the middle” attack is occurring and blocks you from the compromised website. For more information about why this occurs, see Why you should use SSL inspection.

 

2. Creating a fully qualified domain name (FQDN) address for google.ca

Go to Policy & Objects > Objects > Addresses and create a new address.

Set Type to FQDN and set FQDN to the domain name used by Google in your region (in the example, *.google.ca).

 

3. Exempting google.ca from full SSL inspection

Go to Policy & Objects > Policy > SSL/SSH Inspection and edit the deep-inspection profile.

Add the FQDN for Google to the list of exempt Addresses.

 

4. Results

Using Chrome, browse to google.ca. The site loads properly.  

For further reading, check out SSL/SSH Inspection in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
  • DanOrth

    Hey Victoria, do Address Object FQDN’s work differently for SSL Inspection than they do with FW policies? For example in this KB article http://kb.fortinet.com/kb/documentLink.do?externalID=FD35297 it mentions to not use wildcard FQDN’s as they are just a DNS lookup, and not a URL match.

    • Victoria Martin

      Hi Dan,

      Address Object FQDNs work the same in SSL inspection as for firewall policies. For SSL inspection, FQDNs are preferred, since you want to exempt based on the domain.

      Thank you for your comment, because of it I have updated step two to state that you are using Google’s domain name, rather than Google’s URL.

  • Victoria Martin

    Great, I’m glad I could help.

  • jarbro

    In FOS 5.2.7 I do not have pre-defined categories as shown above under Exempt addresses. Is there a baseline list anywhere I can reference?