Attempted Exemption from Fortigate SSL Certificate Inspection for Synology NAS Outgoing Connection to Microsoft OneDrive But Did Not Work

Subject: Attempted Exemption from Fortigate SSL Certificate Inspection for Synology NAS Outgoing Connection to Microsoft OneDrive But Did Not Work


Author: Mr. Turritopsis Dohrnii Teo En Ming (TARGETED INDIVIDUAL)

Country: Singapore

Date: 30 Jan 2022 Sunday Singapore Time


Type of Publication: Plain Text

Document Version: 20220130.01


Problem Description: Client Reports Her Synology NAS Cannot Connect to Microsoft OneDrive After Deployment of Fortigate 80F Firewall


Forum Discussion #1: HELP Needed please >>> Users suddenly cannot connect to Microsoft OneDrive and Sharepoint

Link: https://community.fortinet.com/t5/Fortinet-Forum/HELP-Needed-please-gt-gt-gt-Users-suddenly-cannot-connect-to/td-p/56216?m=183046


Forum Discussion #2: OneDrive synchronization error

Link: https://community.fortinet.com/t5/Fortinet-Forum/OneDrive-synchronization-error/m-p/167611?m=152352


DETAILED STEPS

===============


Login to Fortigate 80F firewall.


Go to Policy & Objects > Addresses


Create 56 Address Objects using FQDN for the hosts mentioned in the following article.


Article: Required URLs and ports for OneDrive

Link: https://docs.microsoft.com/en-us/onedrive/required-urls-and-ports?redirectSourcePath=%252fen-us%252farticle%252fRequired-URLs-and-ports-for-OneDrive-ce15d2cc-52ef-42cd-b738-d9c6f9b03f3a


Go to Security Profile > SSL/SSH Inspection


Create a CLONE of deep-inspection profile


Rename this cloned profile to "Allow OneDrive".


Edit "Allow OneDrive" SSL Inspection profile.


Under "Exempt from SSL Inspection", add the 56 address objects which you have created for OneDrive previously.


Reference Guide 1: SSL/SSH inspection

Link: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/24449/ssl-ssh-inspection


Reference Guide 2: Creating an SSL/SSH profile that exempts Google

Link: https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/655529/creating-an-ssl-ssh-profile-that-exempts-google


Click OK.


Go to Policy & Objects > Firewall Policy.


Edit the firewall policy/rule for internal network to wan1 (outgoing internet access).


Change SSL Inspection profile to "Allow OneDrive".


Click OK.


Above Steps Did Not Work

===========================


Unfortunately, the above steps did not work. I had to create a new firewall policy on top of the outgoing internet access policy specifically dedicated to the Synology NAS with all Security Profiles turned off. This method works.


Mr. Turritopsis Dohrnii Teo En Ming, 43 years old as of 30 Jan 2022, is a TARGETED INDIVIDUAL living in Singapore. He is an IT Consultant with a Systems Integrator (SI)/computer firm in Singapore. He is an IT enthusiast.




REFERENCES

==========


[1] https://pastebin.com/raw/5MHNAqYE


[2] https://controlc.com/5d1fd012


[3] https://rentry.co/h5bs8


[4] https://zerobin.net/?f86d9cb8b639cf13#DKwWRTlEoFRvJni4UiJ7tEKYMUkY1Hj3Zs5IDcJ6LM8=

Comments

Post a Comment

Popular posts from this blog

[24 Mar 2022 Thursday] Erectile Dysfunction and Viagra

Image
Subject: [24 Mar 2022 Thursday] Erectile Dysfunction and Viagra I have erectile dysfunction due to taking medications for mental illness (schizophrenia). Without Viagra, my penis is soft like jelly most of the time. There is no way I can penetrate a woman’s vagina due to erectile dysfunction. Today is the very 1st time I am taking Viagra. It allows my penis to remain hard and fully erected for 2 solid hours during sexual intercourse. Thanks Viagra! I can finally have sex! I am already 44 years old. What am I missing out in life?????? Do I still qualify to be a Japanese Adult Video (JAV) porn star actor???????? Link:  https://m.facebook.com/story.php?story_fbid=10158113552827735&id=646397734
Read more

Patching Linux Kernel 5.5.7 to Add Support for AUFS Filesystem

Subject of Hint: Patching Linux Kernel 5.5.7 to Add Support for AUFS Filesystem ORIGINAL AUTHOR: JIMMY ANDERSON ORIGINAL DATE: 2013-01-20 EDITED BY: TURRITOPSIS DOHRNII TEO EN MING, SINGAPORE EDIT DATE: 15 MAR 2020 SUNDAY MANDATORY PREREQUISITES ======================= You *MUST* follow the guide/hint here first (COMPULSORY): http://lists.linuxfromscratch.org/pipermail/hints/2020-March/003334.html HINT ==== To obtain the aufs5 kernel patches, do the following:   $ sudo apt install git #------------ Cut and Paste start cd $LFS/sources git clone git://github.com/sfjro/aufs5-standalone.git \ aufs5-standalone.git cd aufs5-standalone.git git checkout -b origin/aufs5.5 cp aufs5-*.patch .. rm -f include/uapi/linux/Kbuild tar cvfz $LFS/sources/aufs5.tar.gz Documentation fs include cd .. rm -rf aufs5-standalone.git #------------ Cut and Paste end Rebuilding your kernel ======================    Follow the instructions in the LFS/BLFS book and...
Read more