Skip to main content
Wurstsalat
Explorer
December 29, 2017
Question

HTTPS and replacement messages

  • December 29, 2017
  • 1 reply
  • 19174 views

Hi there,

we are currently running FortiOS 5.6.2

So it works so far except one thing, when we try to browse an unknown address such as https://12351.heise.de we get certificate warning because it uses factory default ca certificate to generate the certificate for the replacement message site...our clients reach the Internet through explicit proxy

 

So we checked our ssl/tls inspection profiles, all profiles except the factory defaults use CA certificates which are trusted by our Clients and it works for all sites which are reachable. So far we dont see where else we can configure this behaviour?

 

The factory default profiles cant be changed to a trusted cert, in CLI we get

"Cannot modify the read-only factory default profiles! object set operator error, -657 discard the setting Command fail. Return code -657"

 

So how we can configure fortigate issues the certificate for unkown sites/ip`s with our own CA certificate?

 

Hope someone can help

    1 reply

    Wurstsalat
    Explorer
    January 8, 2018

    no one any idea on this?

    oheigl
    New Member
    January 8, 2018

    You don't use any factory default SSL/TLS profiles? Did you check the settings in the CLI? There is one certificate which can't be set via the web interface:

     

    set caname "Fortinet_CA_SSL" set untrusted-caname "Fortinet_CA_Untrusted"

     

    Check if these are not the default ones but your own certificates.

    Wolkenstuermer
    New Member
    June 6, 2018

    We are facing the same Problems. Are there any News on that?

     

    Yes, there is the possibility to shutdown HTTPS errormessages at all, but that is not what we want to.