Blocking HTTPs websites without SSL inspection on Fortigate
One of my clients wanted to block facebook but without using SSL inspection as he didn't want to install the cert to 100s of his staff computers.
I explained that with that there would be no other way to get it done. This coming from all of Fortinet’s own documentation obviously.
Then to convince the client I opened a fortinet ticket and got the same response that this can't be done without the ssl inspection and certificate installation.
Now this guy hired some other service provider and those guys simply blocked social media signatures in app control and applied it to the policy and IT HAS WORKED.
It doesn't say "fortiguard blocked" but just keeps the loading icon spinning and facebook doesn't load at all.
The whole situation turned pretty embarrassing for us.
The Confusion
Fortinet must spend some time on cleaning up its archives of posts and videos with outdated info i guess.
Here in this and this video its displayed how https is blocked seamlessly by just using the SSL inspection inspect all ports method without any importing any certificate. And nothing about SSL certificate warnings is touched upon which almost always pops up when using HTTPs inspection. The Fortinet TAC’s response was also appeared what I can call very non-committal, TAC simply told “you must install the certificate if you get any errors”, really now I doubt there’s ever a situation when you don’t get cert errors which ssl inspection on.
0 comments