Skip to main content
dvdsmith
dvdsmith
New Member
April 4, 2017
Question

SSL Certificate Inspection breaks some sites

  • April 4, 2017
  • 1 reply
  • 26030 views

Has anyone else been running across more sites that will not load if certificate-inspection is used in the Web Filter? Also, this does not involve deep packet inspection. One example is edmunds.com.

 

I ended up creating a group of FQDN addresses including sites that break with certificate inspection and then a Policy with the group as destination, making sure it applied before other policies. The policy, either with a Web Filter with SSL Inspection disabled or no Web Filter at all, allows the group of sites through unimpeded. If I disable the Policy, a browser either presents a failed to load page or an SSL error page with no option to continue.

 

Today I found some content of edmunds.com wouldn't load unless I also added services.edmunds-media.com to the group.

    1 reply

    NotMine
    NotMine
    Explorer III
    April 4, 2017

    Is FortiGate CA certificate installed on client machines as a Trusted Root Authority?

    dvdsmith
    dvdsmithAuthor
    New Member
    April 5, 2017

    slavko wrote:

    Is FortiGate CA certificate installed on client machines as a Trusted Root Authority?

    Per the documentation I've read, that "should" only be necessary if you are doing deep packet inspection, which I am not. I also find it peculiar that certificate-inspection doesn't break sites like Google Apps, which supposedly is big on security.

     

    Does anyone else find it a bit ridiculous that one would need to copy a CA cert to all clients just so Category filtering still works for sites like pornhub.com that recently switched to https?

     

    I'm looking at renewing/replacing my Fortigate, and this will definitely be a factor in evaluating alternatives.

    hmtay_FTNT
    Staff
    hmtay_FTNT
    Staff
    April 5, 2017

    Hello dvdsmith,

     

    >>Per the documentation I've read, that "should" only be necessary if you are doing deep packet inspection, which I am not.

     

    This is correct. You do not need to import the certificate into all clients if you are using only certificate-inspection. If that is what you did and you still get a page error, that means the FortiGate is trying to forward the "replacement-message" to the browser indicating that the page is blocked. "edmunds.com" is classified as Personal Vehicles. Do you have that category set to Block in the Web Filter?

     

    You can disable the "replacement-message" on the webfilter if you are running in proxy mode. That way, blocked pages will not attempt to print a message and instead will return an SSL reset packet.

     

    HoMing

    Terms & ConditionsAccessibility statement