HTTPS Blocking on Fortinet 92D firewall

I just installed a Fortinet 92D firewall to replace my old SonicWALL TZ190.  All the routing is set up and everything seems to be working fine, however with the webfilter it will only block http sites if you go to an HTTPS site it works fine.

So sites like Facebook, Twitter, and many shopping websites work fine because they use HTTPS, not HTTP.

I found if I went to the internal to WAN1 and turned on SSL inspection, it would then block HTTPS site, but it blocked every HTTPS sites.  Turning that on also blocked all mobile devices from working on the network, if there was a phone connected to wifi and I turned on SSL inspection no apps or web browsers or anything using the internet on the phone would work.

I don't want to block every HTTPS site, I want to block certain sites, like Twitter and Facebook and some shopping sites.  However I can't figure out how to do this.

They have the categories and with social networking turned on facebook and twitter still work, so it is the HTTPS portion of the website, that makes it stop.

For instance yahoo's home page works fine when I block yahoo, however when you click on a link at that point it says blocked because the inner pages are http but the home page is https.

I don't want to turn on the SSL inspection and block all HTTPS sites and then have to allow sites because there is an infinite number of sites that need allowed.
LVL 1
FosterThomasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
with using https inspection the device requires a certificate and that certificate must be trusted by the clients as you are now proxying the https requests as described from the cookbook site
http://cookbook.fortinet.com/why-you-should-use-ssl-inspection/
0
bbaoIT ConsultantCommented:
which version of FortiOS are you running on the firewall?
0
FosterThomasAuthor Commented:
v5.2.4,build688 (GA)

I understand the SSL inspection and what it does, however that does it globally and slows down the entire network to a crawl.

Google's home page wouldn't even load because it uses HTTPS, and the SSL inspection shut down all internet on mobile devices.   Some phones were prompted to accept the certificate and then they would work but would crawl on internet speed.

I understand the point of SSL inspection but that's not what I want to do, I just want to be able to block certain websites that use HTTPS as a standard like facebook, twitter etc.
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

FosterThomasAuthor Commented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FosterThomasAuthor Commented:
Nevermind everyone that did not work after more investigation.

The only way I can block twitter or facebook is to go to the default profile and check block social media.  However that blocks linkedin, and other sites need.

If I create a wild card that just blocks *.twitter.com it does not work or *.facebook.com it doesn't work and facebook is accessible.

I just want to be able to block certain social media sites individually, this is frustrating to say the least.
0
FosterThomasAuthor Commented:
I found the link on my own, on another site that fixed the issue
0
bbaoIT ConsultantCommented:
good to know and thanks for sharing the info.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.