Configuring an L2 exception list
In some jurisdictions, SSL interception and decryption is disfavored for some types of websites or disallowed entirely. You use the L2 Exception List configuration to define such destinations. You can leverage FortiGuard web filter categories, and you can configure a list of additional destinations.
Before you begin:
- You must have created a Web Filter Profile configuration that includes the web categories to exclude from SSL decryption.
- You must have hostname or IP address details on additional destinations you want to exclude from SSL decryption.
- You must have Read-Write permission for Load Balance settings.
After you have created an L2 exception list configuration object, you can select it in a Layer 2 virtual server configuration.
To configure an exception list:
- Go to Server Load Balance > SSL-FP Resources.
- Click the L2 Exception List tab.
- Click Create New to display the L2 Exception List configuration editor.
- Configure the following L2 Exception List settings:
Settings Guidelines Name
Configuration name. Valid characters are
A
-Z
,a
-z
,0
-9
,_
, and-
. No spaces. You reference this name in the profile configuration.Note: After you initially save the configuration, you cannot edit the name.
Description
A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use.
Web Filter Profile
Select a Web Filter Profile configuration.
- Click Save.
The Member section becomes available to configure. - In the Member section, click Create New to display the Member configuration editor.
- Configure the following Member settings:
Settings Guidelines Type
How you want to define the exception:
- Host
- IP/Netmask
Host Pattern
The Host Pattern option is available if the Type is Host.
Specify a wildcard pattern, such as
*.example.com
.IP/Netmask
The IP/Netmask option is available if the Type is IP/Netmask.
Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash, such as 192.0.2.0/24.
Note:
- Dotted quad formatted subnet masks are not accepted.
- IPv6 addresses are not supported.
IP/Netmask Role
The IP/Netmask option is available if the Type is IP/Netmask.
Specify the role of the IP/Netmask:
- Destination — The IP/Netmask is set as the Destination IP, and the L2 SSL Forward Proxy VS will be bypassed based on this Destination IP.
- Source — The IP/Netmask is set as the Source IP, and the L2 SSL Forward Proxy VS will be bypassed based on this Source IP.
Comments
Optionally, enter a comment to describe this L2 Exception List Member.
- Click Save.
The L2 Exception List Member configuration is saved and added to the Member section. - Click Save to commit the changes made for the Member configuration.