SSL Deep Packet Inspection (DPI) allows the FortiGate to decrypt and scan all HTTPS, SMTPS, POPS, IMAPS and FTPS sessions. It then re-encrypts and sends the packets off on their merry way (essentially a man in the middle attack).
I've recently enabled it in my lab and noticed that my DropBox kept on disconnecting. I suspect it's something to do with FortiGate certificate not being trusted in DropBox which would give an error.
The way I got around this is to enable the web site filter and excempt the dropbox.com domain from the webfilter (and DPI).
To set this up goto Security Policies > Web Filter > Profiles and edit the webfilter profile used in your web policy.
Next enable " and add the dropbox.com domain (simple, exempt & enabled). Click 'Apply' to save.
Now try to log back into DropBox and you should see the status come up as connected!
I've recently enabled it in my lab and noticed that my DropBox kept on disconnecting. I suspect it's something to do with FortiGate certificate not being trusted in DropBox which would give an error.
The way I got around this is to enable the web site filter and excempt the dropbox.com domain from the webfilter (and DPI).
To set this up goto Security Policies > Web Filter > Profiles and edit the webfilter profile used in your web policy.
Next enable " and add the dropbox.com domain (simple, exempt & enabled). Click 'Apply' to save.
Now try to log back into DropBox and you should see the status come up as connected!
6 comments:
Thank you! I was having this exact problem and this fixed it!
Hi, Sorry to use this comment box to talk to you because I couldn't see any other way to seek your help.
Device: Fortigate OS 4.3 / 5.0.5
Actually, I am interested in defining custom App Control signatures. I couldn't find any help, for example, to block facebook Ads. I have seen that HTML Div tags are being used but how to manipulate them is an issue.
It would be so nice of you to have such solution, please.
It is hard to believe that enterprise would allow such a thing. It opens an unfettered channel for malware and virus deployment right into the heart of enterprise. No wonder enterprise is wholesale blocking Dropbox. It is important to remember that Deep Packet Inspection is there to scan for security threats. Disabling it for this app or that app completely defeats the purpose of this security measure.
I think you misunderstood the purpose of my article. It's not about the security implications of disabling Dropbox, or enterprise best practices. It's a simple 'how-to' guide on what you would need to do to to get Dropbox working when you have DPI enabled on the policy. As per the article, I was testing this in my lab where DPI is not required for Dropbox traffic.
excelent. very clear, I remeber the flow webfilter.
it' s correct
thank you
Awesome this situation was a really headache and only put a exception, working thank you. Greetings.
Post a Comment