When you have SSL inspection enabled on your firewall policies you may want to exempt certain categories from deep scanning. Certain applications may be looking for specific certificates and will break when SSL inspection is enabled. The GUI enables you to exempt “Banking, Health Care and Personal Privacy” categories, but if you want to add other categories to that list you’ll need to configure via CLI…
First you’ll need to get a list of the categories:
FortigateVM #get webfilter categories g01 Potentially Liable: 1 Drug Abuse 3 Hacking 4 Illegal or Unethical 5 Discrimination 6 Explicit Violence 12 Extremist Groups 59 Proxy Avoidance 62 Plagiarism 83 Child Abuse g02 Adult/Mature Content: .......
Next add your categories to the exempt list, for example if you want to exempt Business then add 49 to the default ones 31,33 and 87:
config webfilter profile edit default config ftgd-wf set exempt-ssl 31 33 49 87 end end
Perhaps there are only a few sites you want to exempt instead of entire categories, this can be achieved by entering these sites under the Rating Overrides. In the below example a new customer category called SSL_Exempt was created and this website was added.
The new custom SSL_Exempt category is listed under “get webfilter categories” as category 142, this needs to be added in a couple of spots:
config webfilter profile edit TestingSSLExemptions config ftgd-wf set category override 142 <---- this must be added set exempt-ssl 31 33 87 142 end end