Skip to main content
buntha
New Member
May 11, 2015
Question

Block Https with Web Filtering & SSL/SSH Inspection Error

  • May 11, 2015
  • 7 replies
  • 16494 views

Dear Everyone!!

I am use Fortigate 300c i want to block youtube with https://youtube.com & https://facebook.com

but i after enable webfiltering with ssl/ssh inspection cannot use some websites with https://gmail.com

yahoo.com, it's show message error certificate. like this image bellow. 

show have any solution for fix it.

Thank!!!!!

    7 replies

    lunhas2k4
    Explorer II
    May 13, 2015

    Hi,

    Which version of the fortiOS are you using?

     

    On the 5.2.2 you can solve this issue in two ways:

     

    1- Install the fortigate certificate on all the machines in you network, you can achieve that with a GPO. You appear to be using the proxy version of the webfiltering and the "full-certificate inspection" profile on the ssh-ssl inspection.

    2- Change the webfilter from proxy to flow-based and set the ssl and ssh inspection as "certificate-inspection". If you are using application control as well do not set the full-inspection on it as well.

     

    Let us know how it goes.

     

    SteveRoadWarrior
    New Member
    May 15, 2015

    If you aren't ready for 5.2 yet, you can resolve this by editing the Web Filter policy:

     

    in the attached picture we excluded filtering for *.dropbox.com

    You can add the other sites as well.

     

    However, from what I'm seeing in your post you didn't deploy the SSL Cert through group policy properly.  See the first post.

    You should only be having issues with apps which aren't using the native windows(OS) SSL cert repository.

    buntha
    bunthaAuthor
    New Member
    May 18, 2015

    I am sorry for late reply.

    Now i am using version 5.0 if version 5.2 can resolve this problem then i will upgrade firmware version to 5.2 and i will following your instruction temporary after completed upgrade to v5.2.

    Thank !!!!!

    kubimike
    New Member
    March 5, 2020

    get openSSl create a certificate, install it on all the PCs. Install the certificate on the FG. Configure Transparent proxy, use Proxy-based on the outbound policy, under protocol options pick the proxy you created. on SSL inspection select custom deep inspection

    SteveRoadWarrior
    New Member
    May 20, 2015

    save your 5.0 config first in case you need to go back to it

    be careful that upgrading doesn't make your internet access stop working

    be prepared to go back to 5.0 if that happens

    buntha
    bunthaAuthor
    New Member
    May 21, 2015

    Thank for advice, i will backup configuration after upgrade to version 5.2, 

    I have one Question if i upgrade by internet and upgrade by TFTP, which one is the best way for me.

    Now In Transparent Mode have only WebFiltering and Email Filtering that can update but other feature not update is Unreachable.

    Thank!!!!!!

    lunhas2k4
    Explorer II
    May 22, 2015

    I prefer to always upgrade by tftp. Should the internet connection not be it at its best, the better option is to have the file you need locally in your machine and then upgrade. And like was mentioned before make sure you backup your configuration. 

    Also have a look at the upgrade path. I usually take a full backup config at every step of the update path to the desired destination.

    Luis_Pereira
    New Member
    March 4, 2020

    Hello!

     

    If you only want to block those specific domains there's no need to enable SSL/SSH inspection, when it's enabled the firewall will be placing it's self signed certificate in the middle of the request, so the trusted CA of the website will no longer be handling the encryption.

     

    That warning is because the browser catch it as attempt of MITM attack, you can try to download and manually install the self signed CA.

     

    You can read more about SSL/SSH inspection here.