Add option to disable the FortiGuard IP address rating
An option has been added to disable using the FortiGuard IP address rating for SSL exemptions and proxy addresses.
To disable using the FortiGuard IP address rating for SSL exemptions:
config firewall ssl-ssh-profile edit <name> set ssl-exemption-ip-rating {enable | disable} next end
To disable using the FortiGuard IP address rating for proxy addresses:
config firewall profile-protocol-options edit <name> config http set address-ip-rating {enable | disable} end next end
The ssl-exemption-ip-rating
and address-ip-rating
options are enabled by default, so when both a website domain and its IP address return different categories after being rated by FortiGuard, the IP address category takes precedence when evaluating SSL exemptions associated with the SSL inspection profile and proxy addresses associated with the proxy protocol options profile. SSL exemptions and the ssl-exemption-ip-rating
option work in both inspection modes (proxy and flow).
When the categories associated with the website domain and IP address are different, disabling the FortiGuard IP rating ensures that the FortiGuard domain category takes precedence when evaluating the preceding objects. For most websites, the domain category is valid when its IP address is unrated by FortiGuard. Since being unrated is considered as not having a category, the FortiGate uses the domain category as the website category.
A website might have an IP category that differs from its domain category. If they are different, the FortiGate uses the rating weight of the IP address or domain name to determine the rating result and decision. The rating weight is hard-coded in the FortiGate and depending on the relative category weights, the FortiGate may use the IP category instead of the website category. If the ssl-exemption-ip-rating
option is disabled in the SSL inspection profile, then the FortiGate uses the domain category as the website category, which ensures SSL exemption operation as intended.
The address-ip-rating
option in a proxy protocol options profile functions the same way as the ssl-exemption-ip-rating
option. If the address-ip-rating
option is disabled in a profile that is used in an explicit proxy policy that also uses a web filter profile, for HTTP or HTTPS traffic to a website that has different IP and domain categories and that matches the policy, the FortiGate will use the domain category when it evaluates categories for the web filter.