URL certificate blocklist
As increasing numbers of malware have started to use SSL to attempt to bypass IPS, maintaining a fingerprint-based certificate blocklist is useful to block botnet communication that relies on SSL.
This feature adds a dynamic package that is distributed by FortiGuard and is part of the Web Filtering service. It is enabled by default for SSL/SSH profiles, and can be configured using the following CLI commands:
config vdom edit <vdom> config firewall ssl-ssh-profile edit "certificate-inspection" set block-blacklisted-certificates enable next edit "deep-inspection" set block-blacklisted-certificates enable next end next end