Skip to main content
max71
max71
Explorer
September 30, 2024
Question

web filter for https request

  • September 30, 2024
  • 1 reply
  • 1478 views

Hello , 

I run into this issues, 

internet -> fortigate -> fortiauthenticator (with reset password service)

everithing working correctly also fortytoken service , but i would like to restrict the access only for request addressed to https://urlfortigate/portal/selfservice/reset_password

this url open a web page on 443 for reset password service.

I wish to block every others web page that coming from internet to fortiauthenticator.

i though a webfilter that permit only 

urlfortigate/portal/selfservice/reset_password -- simple -- allow

* -- wildcard -- block

but another configuration is put the firewall policy using a certificate inspection.

If i use this config when the internet user can try to reach the fortiauthenticator web page to reset own password obtain that " you are not allowed to access this resource" ... i think is a fortiauthenticator message but i do not understand where this message born ... 

someone has tried to experience this issues ....

thank you

1 reply

AEK
SuperUser
AEK
SuperUser
September 30, 2024

Hi Massimo

If you want to allow or deny a HTTPS URL in a web filter then you need SSL deep inspection.

AEK
max71
max71Author
Explorer
October 2, 2024

hello AEK,

but how cert are managed by fortigate and fortiauthenticator,i need to export and import the cert in the firewall and fortiauthenticator ?

thank you

 

AEK
SuperUser
AEK
SuperUser
October 2, 2024

Hello Massimo

 

The fastest way is to use the FGT's predefined "deep-inspection" profile, or clone it and customize it.

Then on FGT, download the CA certificate "Fortinet_CA_SSL" (from System > Certificates) and install it on your clients.

After that FortiGate can do deep inspection for your client's traffic without displaying certificate warning on your browser.

 

In case your FAC is already your CA, and you want to generate the intermediate CA with FAC and import it on FG, here is how to do.

https://docs.fortinet.com/document/fortiauthenticator/6.5.0/cookbook/273572/fortiauthenticator-certificate-with-ssl-inspection

 

Hope it helps.

AEK
Terms & ConditionsAccessibility statement