FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 198693


This article describes how to configure the FortiGate to sign the ‘Access Denied’ replacement message using a custom certificate instead of the default ‘Fortinet_CA_SSL’ certificate

In an Explicit Proxy environment, an end-user attempting to browse a URL using HTTP will be returned a denied message such as ‘Access Denied: The page you requested has been blocked by a firewall policy restriction’ in case the access to that URL is denied by an Explicit Proxy Firewall Policy.

In case the same end-user tries browsing the same URL using HTTPS, the user will be returned the same denied message, but this time, the message will be signed using the ‘Fortinet_CA_SSL’ certificate by default. 

FortiOS v5.4 – 6.0.
# config user setting
    set auth-ca-cert "<custom_CA_certificate>"
FortiOS v6.2.
# config web-proxy global
    set ssl-ca-cert "<custom_CA_certificate>"
Once the command is executed, the ‘Access Denied: …’ replacement message will be signed using the <custom_CA_certificate>.

Related links:

Related Articles

Technical Note : Blocking HTTPS sites