Configuring an L2 exception list

In some jurisdictions, SSL interception and decryption is disfavored for some types of websites or disallowed entirely. You use the L2 Exception List configuration to define such destinations. You can leverage FortiGuard web filter categories, and you can configure a list of additional destinations.

Before you begin:

After you have created an L2 exception list configuration object, you can select it in a Layer 2 virtual server configuration.

To configure an exception list:
  1. Go to Server Load Balance > SSL-FP Resources.
  2. Click the L2 Exception List tab.
  3. Click Add to display the configuration editor.
  4. Complete the configuration as described in Table 30.
  5. Save the configuration.

 Table 30:   L2 exception list configuration

Settings Guidelines


Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the profile configuration.

Note: After you initially save the configuration, you cannot edit the name.


A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use.

Web Filter Profile

Select a Web Filter Profile configuration.



How you want to define the exception:

  • Host
  • IP

Host Pattern

Specify a wildcard pattern, such as *


Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash, such as


  • Dotted quad formatted subnet masks are not accepted.
  • IPv6 addresses are not supported.