Technical Note: How to avoid certificate error when using web filter override to control website access

ojacinto · ‎10-02-2015

Description

This article describes how to avoid certificate error when a web filter override is being used to control website access.

The article assumes that the override web filter and firewall policies to allow the communication have already been configured.

Solution

After the rating override is configured (web filter override, firewall policy and override users) it is necessary to configure on the following settings on the FortiGate:

config webfilter fortiguard
set cache-mode ttl
set cache-prefix-match enable
set cache-mem-percent 2
set ovrd-auth-port-http 8008
set ovrd-auth-port-https 8010 <<<<----------
set ovrd-auth-port-warning 8020
set ovrd-auth-https enable
set warn-auth-https disable
set close-ports disable
set request-packet-size-limit 0
set ovrd-auth-hostname ''
set ovrd-auth-cert "Fortinet_Firmware" >>>>>>>>> default certificate
end

The certificate used on the SSL inspection is "Fortinet_CA_SSLProxy", so this certificate must be configured on the webfilter FortiGuard web filter:

# config webfilter fortiguard
# set ovrd-auth-cert Fortinet_CA_SSLProxy
# end

The certificate for the users settings must also be defined:

# config user setting
# set auth-ca-cert Fortinet_CA_SSLProxy
# end

The correct operation can now be checked. Use a web site where the FortiGuard web filter alert is shown, for example:

Using click to proceed with the override the portal to enter username and password without any certificate error:

After entering the correct data, browsing of the webpage will be permitted: