Fortigate – Exempt certain categories from SSL inspection

When you have SSL inspection enabled on your firewall policies you may want to exempt certain categories from deep scanning. Certain applications may be looking for specific certificates and will break when SSL inspection is enabled. The GUI enables you to exempt “Banking, Health Care and Personal Privacy” categories, but if you want to add other categories to that list you’ll need to configure via CLI…

First you’ll need to get a list of the categories:

FortigateVM #get webfilter categories
g01 Potentially Liable:
      1 Drug Abuse
      3 Hacking
      4 Illegal or Unethical
      5 Discrimination
      6 Explicit Violence
     12 Extremist Groups
     59 Proxy Avoidance
     62 Plagiarism
     83 Child Abuse
  g02 Adult/Mature Content:
  .......

Next add your categories to the exempt list, for example if you want to exempt Business then add 49 to the default ones 31,33 and 87:

config webfilter profile
edit default
config ftgd-wf
set exempt-ssl 31 33 49 87
end
end

Perhaps there are only a few sites you want to exempt instead of entire categories, this can be achieved by entering these sites under the Rating Overrides. In the below example a new customer category called SSL_Exempt was created and this website was added.

The new custom SSL_Exempt category is listed under “get webfilter categories” as category 142, this needs to be added in a couple of spots:

config webfilter profile
edit TestingSSLExemptions
config ftgd-wf
set category override 142         <---- this must be added
set exempt-ssl 31 33 87 142
end
end

Leave a Reply