Wednesday, July 13, 2016

Fortigate web filtering - YouTube and Vimeo problem

The configuration part of the Fortigate web filter is very easy. Fortinet has made a good job with categorising web sites throughout the world, and you can easily select what categories you want to allow, block, and which to prompt the user with a warning.

For full inspection (proxy) you will need to use a certificate; either one from your own CA, or you can use the certificate that's installed on the Fortigate by default. Either way you need the client to trust the certificate or you will get browser warnings.

There is one problem with this, and that is with sites using HSTS. Most browsers supports and use this protection mechanism, if the site is enable with it. Short story, this mechanism blocks man-in-the-middle attacks, which basically is what the Fortigate is doing when you are using full inspection (proxy) of traffic.

So if you want you users to be able to watch videos on YouTube and Vimeo, you will have to disable SSL inspection on the following URLs:

Here's a guide on how I did this on FortiOS 5.2.5.
- Go to "Security Profiles", "Advanced", and "Web Rating Overrides"
- Click the "Custom Categories" button on the top
- Create a new category (or rename one of the default custom ones that is built in) and name it "Whitelist". For convenience, you could also create two more: "Warning" and "Block". It's nice to have in case you want to override a category on a website.
- Go back to the "Web Rating Overrides" menu and click "Create New".
- Add the URLs I listed above and select the "Custom Categories" and "Whitelist". Do this for both URLs if you want both YouTube and Vimeo working.
- Go to your web filter profile and change each of the new Local Categories you made to Allow, Warning, and Block.
- Go to the "SSL/SSH Inspection" under "Policy & Objects", "Policy"
- Select you SSL profile from the list (if you have more than one)
- In the "Exempt from SSL Inspection" section, add the "Whitelist" category.

There you have it!  You can still have warning on the "Streaming Media and Download" category, and the users will get the Fortigate warning message, but be able to click proceed to watch YouTube and Vimeo videos.

This is also possible to do in FortiOS 5.0, but you will have to do it through the CLI. The guide above will work for most of the settings (except that Fortinet is moving stuff around like crazy each firmware), but you need to do the "Exempt from SSL Inspection" from the CLI. You find this under the following CLI section:
config webfilter profile
edit [your_profile_name]
config ftgd-wf
Do a "get" to see what the ID of your Whitelist category is
Also do a "show" to see what other category IDs is in exempt-ssl
copy the line with "set exempt-ssl", and add the ID of you Whitelist category at the end:
set exempt-ssl [IDs_of_other_categories] [ID_of_your_Whitelist_category]

As an ending note I want to say that there are more sites using HSTS that can cause you headache, so if you encounter any problems, try adding the URL to the Whitelist category. This will however white list the site completely, but I guess that's not an issue as you want to allow it :)