Skip to main content
Miata
Miata
New Member
April 8, 2015
Solved

This Connection is Untrusted - Web Filtering Issues

  • April 8, 2015
  • 8 replies
  • 28118 views

Please see the attached.

This message appears with websites that I have blocked.

 

Thanks for your help.

Best answer by Bromont_FTNT

When a secure website is blocked the Fortigate must present the blocked page message using its own certificate which the browser of course does not trust and therefor eyou get the certificate warning.

8 replies

Bromont_FTNT
Staff
Bromont_FTNTAnswer
Staff
April 8, 2015

When a secure website is blocked the Fortigate must present the blocked page message using its own certificate which the browser of course does not trust and therefor eyou get the certificate warning.

Miata
MiataAuthor
New Member
April 8, 2015

Thanks for your reply.

 

But what if the user adds an exception. Can they still access the website? Is there anyway they can access the website from this message?

Bromont_FTNT
Staff
Bromont_FTNT
Staff
April 8, 2015

If the user adds the exception (trust the invalid certificate) then it should display the fortigate blocked page message.

Miata
MiataAuthor
New Member
April 8, 2015

Also, is there a way to bypass this? 

Christopher_McMullan
Staff
Christopher_McMullan
Staff
April 8, 2015

Depends what you want to bypass...

 

If you want to be presented with the block page, but still navigate to the page, you can set the category action to Warning or Authenticate. If you want to bypass certificate errors and block pages entirely, in OS 5.2 you can exempt FQDN address objects or FortiGuard categories from deep inspection in the SSL/SSH Inspection Profile.

Miata
MiataAuthor
New Member
April 8, 2015

Thank you very much for your help.

Miata
MiataAuthor
New Member
April 8, 2015

Thank you very much for your help.

Bromont_FTNT
Staff
Bromont_FTNT
Staff
April 8, 2015
I assumed you were not using SSL deep inspection.... You are only getting cert errors when the page is to be blocked correct?
Big_Abe
Big_Abe
New Member
April 13, 2015

Since you're clearly using Firefox, don't forget (easy mistake) that FireFox doesn't use windows store for certificates.

 

In other words, you can push the certs by GPO for IE, but Chrome and FF require installation into their specific keystores. 

 

If you want to see if its a problem with your intermediary - browse to the page, get past the warning, then view the certificate from the toolbar.  You can see what signed the certificate, to determine its the one presented by the firewall, or your attempt to Trust a root CA that is getting you the cert error. 

 

 

 

 

The_Doctor
The_Doctor
New Member
April 15, 2015

Hi Miata,

you must set the https-replacemsg option in your webfilter profile to disable (via CLI)

 

You can find the info here:

http://docs.fortinet.com/...tebook-and-tech-notes#

 

 

 

 

Terms & ConditionsAccessibility statement