Fortinet black logo

Cookbook

Creating an SSL/SSH profile that exempts Google

Copy Link
Copy Doc ID 4d801240-7ccc-11e9-81a4-00505692583a:655529
Download PDF

Creating an SSL/SSH profile that exempts Google

The two default SSL/SSH inspection profiles, certificate-inspection and deep-inspection, are read-only. To exempt Google, you must create a new profile.

  1. Go to Policy & Objects > Addresses and create a new address.

    Set Type to Wildcard FQDN.

    Set Wildcard FQDN to the domain name used by Google in your region (in this example, *.google.ca).

  2. Go to Security Profiles > SSL/SSH Inspection and select the list view in the top right to view all profiles.

  3. Select the deep-inspection profile and then select Clone to create a copy of this profile.

    This copy has the same settings as the default profile but is read-write so that you can modify it.

  4. Edit the new profile and change its name (in this example, my-deep-inspection).

    The Exempt from SSL Inspection section shows the exempt web categories and addresses.

    Add the address for Google to the list of exempt Addresses.

  5. Go to Policy & Objects > IPv4 Policy and edit the policy that allows users on the internal network to access the Internet.

    Set SSL/SSH Inspection to use the new profile.

Creating an SSL/SSH profile that exempts Google

The two default SSL/SSH inspection profiles, certificate-inspection and deep-inspection, are read-only. To exempt Google, you must create a new profile.

  1. Go to Policy & Objects > Addresses and create a new address.

    Set Type to Wildcard FQDN.

    Set Wildcard FQDN to the domain name used by Google in your region (in this example, *.google.ca).

  2. Go to Security Profiles > SSL/SSH Inspection and select the list view in the top right to view all profiles.

  3. Select the deep-inspection profile and then select Clone to create a copy of this profile.

    This copy has the same settings as the default profile but is read-write so that you can modify it.

  4. Edit the new profile and change its name (in this example, my-deep-inspection).

    The Exempt from SSL Inspection section shows the exempt web categories and addresses.

    Add the address for Google to the list of exempt Addresses.

  5. Go to Policy & Objects > IPv4 Policy and edit the policy that allows users on the internal network to access the Internet.

    Set SSL/SSH Inspection to use the new profile.