Technical Tip: Custom certificate for block page when using explicit proxy

Description

This article describes how to use a custom certificate for the error/block page when using an explicit proxy.

Scope

FortiGate.

Solution

CLI configuration:

config web-proxy global
    set ssl-cert "Fortinet_Factory"
    set ssl-ca-cert "Fortinet_CA_SSL" <----- Replace this certificate with certificate.
end

In 7.4.9+ and 7.6.3+, a block page generated by a deny policy can be overwritten by a CA certificate used in ssl-ssh-profile: 

config firewall proxy-policy
    edit <policy ID>
        set proxy explicit-web
        set dstintf <outgoing_interface>
        set srcaddr "all"
        set dstaddr "gmail.com" "twitter.com" "wildcard.google.com"
        set service "webproxy"
        set schedule "always"
        set ssl-ssh-profile "my_deep_inspection" <-----
    next
end

Note: The certificate used for the block page has the CA flag set to 'True' as the FortiGate tries to intercept the traffic with a replacement message. If the CSR is not generated on the FortiGate, the certificate is imported along with the private key to FortiGate.