Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fdsantos
Staff
Staff

Created on ‎07-29-2024 12:03 AM Edited on ‎10-21-2024 09:25 PM By Community Manager

Article Id 328697

Technical Tip: Replacement Message not visible for all websites when accessing blocked websites by web filter and Application Control

Description

This article describes why sometimes the Replacement Message is accessible and sometimes it is not when accessing blocked websites.
Scope

FortiGate, Google Chrome, Edge, Firefox.
Solution

When accessing websites blocked by a web filter or application Control, three scenarios can occur.

 

Scenario 1:

In this scenario, it shows a message when accessing the blocked websites.

 

Scenario_1_1.jpg

 

After selecting 'Proceed', it is possible to access the replacement message.

 

Scenario_1_2.jpg

 

 

Scenario 2:
In this scenario, there is no option to proceed to the website. It shows the error message 'An application is stopping Chrome from safely connecting to this site' and ''Fortinet' was not installed properly on the computer or the network:'.

 

Scenario_2.jpg

 

The reason for this behavior is the HSTS (HTTP Strict Transport Security) which is implemented by the website.


HSTS is used by websites as a protection from MiTM attacks and always secures connection by redirecting the website to HTTPS.


Since FortiGate Replacement Messages involve MiTM, the browser will not allow to proceed to the Replacement Message due to HSTS applied by the website.

 

In this case, the solution is to install the CA certificate used in the SSL inspection profile to proceed with the Replacement Message without any issues.

 

Scenario 3:

If the firewall policy references an Application Control that blocks applications (including web applications) and also references the SSL Inspection 'no-inspection', the website will be blocked, and the browser will not display the replacement message. Instead, the browser will display the error 'This site can’t be reached' with the error code ERR_TIME_OUT.

 

This is an example of an App Control policy that blocks Social media application, such as Facebook:

 

Sample App Control.png

 

If the SSL Inspection profile is set with 'no-inspection' the users will not see the replacement error:

 

no inspection SSL.png

 

 

Screenshot 2024-10-18 154838.jpg

 

To fix this, ensure that the firewall policy is using SSL Inspection 'Certificate Inspection' or 'Deep-Inspection'. If using 'Deep-inspection', be aware that additional configuration needs to be implemented to prevent users from seeing a certificate warning when going to allowed applications. See related article for more information:

 

Certificate-inspection.png

 

Related articles:

Troubleshooting Tip: Resolving NET: ERR_CERT_AUTHORITY_INVALID Error in Google Chrome Behind a Forti...
How to enable deep inspection and import ... - Fortinet Community
673
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.