Cert Error - SSH Inspection (FW Cert Has Been Installed On PC)

Forum|Forum|6 years ago
June 21, 2019
1 reply
15128 views

Hello all. Web filtering with Full SSL Inspection, we've deployed the FW default certificate to end user PCs and for the most part inspection runs without a hitch. Sometimes however we get a cert error like the one I've attached (I was testing to make sure the FW completely kills UltraSurf). The certificate says it's from *.fortinet.com when it should say it's from "ultrasurf.us" or whichever website the user was trying to get to in the first place. Why does this happen? I'd appreciate any guidance you can offer.

Cert_err.JPG

Certificate

hubertzw

New Member

There are some web servers which don't let you decrypt the traffic. You can verify it by accessing the same URL using Edge or IE, they don't support HKPK (HTTP public key pinning). You can force users to use web browser which don't support this feature or add the URL to the exemption list

Bromont_FTNT

Staff

You said you want to block ultrasurf.us right? So basically the Fortigate is trying to show the Blocked Page which of course would have the Fortinet certificate but the browser is expecting ultrasurf

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded