In the default configuration for FortiOS 5.2, several FortiGuard categories and firewall addresses appear in the Exempt from SSL Inspection list. However, if you upgrade your FortiGate to 5.2 from an earlier version, these addresses are not added to your configuration unless you perform a factory reset.
If you would like to manually add some or all of these exemptions to your configuration, the screenshots below show the complete list of the exemptions and information about the firewall addresses.
The exemption list
This image shows the Exempt from SSL Inspection list from the default 5.2 configuration.
Default firewall addresses
This image shows the Firewall Address list from the default 5.2 configuration. This includes addresses that are not part of the exemption list, such as the default addresses for SSL VPN users.
CLI syntax
The following CLI commands can be used to add the firewall addresses to your FortiGate, then set them as exceptions in the deep-inspection profile.
config firewall address
edit "adobe"
set type wildcard-fqdn
set wildcard-fqdn "*.adobe.com"
next
edit "Adobe Login"
set type wildcard-fqdn
set wildcard-fqdn "*.adobelogin.com"
next
edit "android"
set type wildcard-fqdn
set wildcard-fqdn "*.android.com"
next
edit "apple"
set type wildcard-fqdn
set wildcard-fqdn "*.apple.com"
next
edit "appstore"
set type wildcard-fqdn
set wildcard-fqdn "*.appstore.com"
next
edit "auth.gfx.ms"
set type fqdn
set fqdn "auth.gfx.ms"
next
edit "autoupdate.opera.com"
set type fqdn
set fqdn "autoupdate.opera.com"
next
edit "citrix"
set type wildcard-fqdn
set wildcard-fqdn "*.citrixonline.com"
next
edit "dropbox.com"
set type wildcard-fqdn
set wildcard-fqdn "*.dropbox.com"
next
edit "eease"
set type wildcard-fqdn
set wildcard-fqdn "*.eease.com"
next
edit "firefox update server"
set type wildcard-fqdn
set wildcard-fqdn "aus*.mozilla.org"
next
edit "fortinet"
set type wildcard-fqdn
set wildcard-fqdn "*.fortinet.com"
next
edit "google-drive"
set type wildcard-fqdn
set wildcard-fqdn "*drive.google.com"
next
edit "google-play"
set type fqdn
set fqdn "play.google.com"
next
edit "google-play2"
set type wildcard-fqdn
set wildcard-fqdn "*.ggpht.com"
next
edit "google-play3"
set type wildcard-fqdn
set wildcard-fqdn "*.books.google.com"
next
edit "googleapis.com"
set type wildcard-fqdn
set wildcard-fqdn "*.googleapis.com"
next
edit "Gotomeeting"
set type wildcard-fqdn
set wildcard-fqdn "*.gotomeeting.com"
next
edit "icloud"
set type wildcard-fqdn
set wildcard-fqdn "*.icloud.com"
next
edit "itunes"
set type wildcard-fqdn
set wildcard-fqdn "*itunes.apple.com"
next
edit "microsoft"
set type wildcard-fqdn
set wildcard-fqdn "*.microsoft.com"
next
edit "skype"
set type wildcard-fqdn
set wildcard-fqdn "*.messenger.live.com"
next
edit "softwareupdate.vmware.com"
set type fqdn
set fqdn "softwareupdate.vmware.com"
next
edit "swscan.apple.com"
set type fqdn
set fqdn "swscan.apple.com"
next
edit "update.microsoft.com"
set type fqdn
set fqdn "update.microsoft.com"
next
edit "verisign"
set type wildcard-fqdn
set wildcard-fqdn "*.verisign.com"
next
edit "Windows update 2"
set type wildcard-fqdn
set wildcard-fqdn "*.windowsupdate.com"
end
end
config firewall ssl-ssh-profile
edit deep-inspection
config ssl-exempt
edit 0
set type address
set address "adobe"
next
edit 0
set type address
set address "Adobe Login"
next
edit 0
set type address
set address "android"
next
edit 0
set type address
set address "apple"
next
edit 0
set type address
set address "appstore"
next
edit 0
set type address
set address "auth.gfx.ms"
next
edit 0
set type address
set address "autoupdate.opera.com"
next
edit 0
set type address
set address "citrix"
next
edit 0
set type address
set address "dropbox.com"
next
edit 0
set type address
set address "eease"
next
edit 0
set type address
set address "firefox update server"
end
edit 0
set type address
set address "fortinet"
next
edit 0
set type address
set address "google-drive"
next
edit 0
set type address
set address "google-play"
next
edit 0
set type address
set address "google-play2"
next
edit 0
set type address
set address "google-play3"
next
edit 0
set type address
set address "googleapis.com"
next
edit 0
set type address
set address "Gotomeeting"
next
edit 0
set type address
set address "icloud"
next
edit 0
set type address
set address "itunes"
next
edit 0
set type address
set address "microsoft"
next
edit 0
set type address
set address "skype"
next
edit 0
set type address
set address "softwareupdate.vmware.com"
next
edit 0
set type address
set address "swscan.apple.com"
next
edit 0
set type address
set address "update.microsoft.com"
next
edit 0
set type address
set address "verisign"
next
edit 0
set type address
set address "Windows update 2"
next
end
end
For more information about exemptions to SSL inspection, see Exempting Google from SSL inspection.
The post Default exemptions in the SSL deep-inspection profile appeared first on Fortinet Cookbook.