The FortiGate devices running on FortiOS v7.0.x, are configured with Flow-Based Inspection mode firewall policies. In this case, while the device blocks websites according to the web filter profile, the expected FortiGuard block page is not displayed. Instead, users receive an error 'ERR_SSL_PROTOCOL_ERROR'.

When certificate inspection is enabled alongside a web filter profile on a firewall policy, the FortiGuard block page should normally appear for websites blocked by the web filter.

In this case, Switching the Firewall policies from the Flow-based to Proxy-based inspection mode, the FortiGate will display a FortiGuard Block Page.

Or check the IPS Engine version by running the following command:

diagnose autoupdate versions | grep 'Attack Engine' -A

Upgrade the IPS Engine to v7.0 IPSE v7.0189.

Once the IPS Engine is upgraded to version v7.0189, FortiGate will display the FortiGuard block replacement message as expected.