Skip to main content
Paulsla
Paulsla
New Member
December 11, 2019
Question

Web filter Blocking gives Certificate error

  • December 11, 2019
  • 2 replies
  • 29010 views

On Version 6

When enabling SSL inspection and web filtering when a page is blocked the redirect to the the message gives a certificate error.

Is there any way to choose the certificate that is used for the blocked page message.

 

My understanding is as follows:

[ol]
  • Website is recognized as block in web filter category
  •  Redirect to block page IP of local fortigate
  • URL stays as normal hence the fortigate Certificate does not match the URL[/ol]

    Have seen solutions saying import certificate to the client machine however this won't work as the IP on the signed cert won't match the DNS name of the site being accessed.

     

    I remember on lower versions it would do a URL redirect to a http site on the fortigate what am I doing wrong here?

     

      • 2 replies

      Dave_Hall
      Dave_Hall
      New Member
      December 11, 2019

      Perhaps something like KB#FD37342 is needed?

       

      Forti500D
      Forti500D
      New Member
      December 12, 2019

      are you enable Deep SSL inspection??? then select defaults SSL Inspection and try it, also check in what category that webpage is included in the web filter and make sure it's not blocked 

      sw2090
      SuperUser
      sw2090
      SuperUser
      December 16, 2019

      yes bascially you can change the cert in the ssl insepction profile settings.

      Before that you must import the new cert into the certificates section of fortios.

      The Problem hiere is is the cert type you need. Deep Inspection is needed to webfilter https and deep inspection is a man-in-the-middle method. So it needs to decrypt encrypted traffic, look at it, filter it and then re-encrypt the traffic again. It cannot do that with the original cert because it doesn't have the private key. So it will use a local installed cert. Default is to use the built in Fortinet cert. This is unrusty and I think its also expried.

      The Problem is for this you need a sub-ca cert. Most commercial CAs do not soll those unfortunately.

       

      We workarounded this by having or own company internal CA. THe CA cert of this is distributed to all our clients and it can generate sub-ca certs...

      Dave_Hall
      Dave_Hall
      New Member
      December 16, 2019

      I'm pretty sure Paul is referring to the web filter warning message itself.  The KB I have linked to, shows how to set up/link the Fortinet_CA_SSLProxy security certificate to allow the warning message to appear. 

      Terms & ConditionsAccessibility statement