The two default SSL/SSH inspection profiles, certificate-inspection and deep-inspection, are read-only. To exempt Google, you must create a new profile.
- Go to Policy & Objects > Addresses and create a new address.
Set Type to Wildcard FQDN.
Set Wildcard FQDN to the domain name used by Google in your region (in this example, *.google.ca).
- Go to Security Profiles > SSL/SSH Inspection and select the list view in the top right to view all profiles.
- Select the deep-inspection profile and then select Clone to create a copy of this profile.
This copy has the same settings as the default profile but is read-write so that you can modify it.
- Edit the new profile and change its name (in this example, my-deep-inspection).
The Exempt from SSL Inspection section shows the exempt web categories and addresses.
Add the address for Google to the list of exempt Addresses.
- Go to Policy & Objects > IPv4 Policy and edit the policy that allows users on the internal network to access the Internet.
Set SSL/SSH Inspection to use the new profile.