Technical Tip: Understanding why certain websites generate a certificate issue with Web Filter enable

adecottignies_FTNT · ‎05-21-2024

Description

This article describes why some websites, blocked by a Webfiler profile in combination with an SSL Inspection profile, generate a certificate issue in the client’s browser.

Scope

FortiGates running v6.0, v6.2, v6.4, v7.0, v7.2, v7.4, v7.6.

Solution

While a firewall policy is configured with a Web Filter profile and an SSL Inspection profile, if a website gets blocked, it will send a replacement page to the user. This replacement page will, by default, be signed with the FortiGate as the issuer, so the user's browser will not trust it. This is not the case for unsecured (HTTP) connections; the replacement page will be visible with no warning. It is generally possible to click through the warning and see the replacement page. If the website is using HSTS, this is not possible.

Firefox:

Chrome:

To understand this behavior, a sniffer will be run to understand the protocol used. A focus will also be made on the client’s browser.

In this scenario, the client IP is 10.186.12.136.

------------------------------------- wikipedia[.]org sniffer -------------------------------------

dig wikipedia.org

;; ANSWER SECTION:

wikipedia.org. 0 IN A 185.15.58.224

diagnose sniffer packet any 'host 10.186.12.136 and net 185.0.0.0/8' 4 0 l

Using Original Sniffing Mode

interfaces=[any]

filters=[host 10.186.12.136 and net 185.0.0.0/8]

### --- Initial session from the client, with source port 41332 --- ###
port2 in 10.186.12.136.41332 -> 185.15.58.224.443: syn 2168833988

port2 out 185.15.58.224.443 -> 10.186.12.136.41332: syn 914708084 ack 2168833989

port2 in 10.186.12.136.41332 -> 185.15.58.224.443: ack 914708085

port2 in 10.186.12.136.41332 -> 185.15.58.224.443: psh 2168833989 ack 914708085

port2 out 185.15.58.224.443 -> 10.186.12.136.41332: ack 2168834554

port2 out 185.15.58.224.443 -> 10.186.12.136.41332: psh 914708085 ack 2168834554

port2 out 185.15.58.224.443 -> 10.186.12.136.41332: psh 914709533 ack 2168834554

port2 out 185.15.58.224.443 -> 10.186.12.136.41332: psh 914710981 ack 2168834554

port2 in 10.186.12.136.41332 -> 185.15.58.224.443: ack 914709533

port2 in 10.186.12.136.41332 -> 185.15.58.224.443: ack 914710981

port2 in 10.186.12.136.41332 -> 185.15.58.224.443: ack 914711973

port2 in 10.186.12.136.41332 -> 185.15.58.224.443: psh 2168834554 ack 914711973

port2 in 10.186.12.136.41332 -> 185.15.58.224.443: fin 2168834584 ack 914711973

port2 out 185.15.58.224.443 -> 10.186.12.136.41332: ack 2168834584

port2 out 185.15.58.224.443 -> 10.186.12.136.41332: fin 914711973 ack 2168834584

port2 out 185.15.58.224.443 -> 10.186.12.136.41332: ack 2168834585

port2 in 10.186.12.136.41332 -> 185.15.58.224.443: ack 914711974

### --- Session is reinitiated by the client, as Wikipedia implements HSTS, it keeps using HTTPS (TCP/443), source port 41344 --- ###

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: syn 3669304730

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: syn 1472655661 ack 3669304731

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472655662

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: psh 3669304731 ack 1472655662

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: ack 3669305328

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: psh 1472655662 ack 3669305328

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: psh 1472657110 ack 3669305328

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: psh 1472658558 ack 3669305328

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: psh 1472659476 ack 3669305328

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: psh 1472659477 ack 3669305328

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472657110

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472658558

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472659476

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472659477

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472659551

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: psh 3669305328 ack 1472659551

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: fin 3669305358 ack 1472659551

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: ack 3669305358

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: fin 1472659550 ack 3669305358

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472659551

------------------------------------- fortinet[.]com sniffer -------------------------------------

dig fortinet.com

;; ANSWER SECTION:

fortinet.com. 21102 IN A 54.177.212.176
fortinet.com. 21102 IN A 54.151.118.105

diagnose sniffer packet any 'host 10.186.12.136 and net 54.0.0.0/8' 4 0 l

Using Original Sniffing Mode

interfaces=[any]

filters=[host 10.186.12.136 and net 54.0.0.0/8]

### --- Initial session from the client, with source port 33366 --- ###

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: syn 3339447868

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: syn 2173102973 ack 3339447869

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: ack 2173102974

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: psh 3339447869 ack 2173102974

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: ack 3339448401

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: psh 2173102974 ack 3339448401

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: ack 2173103073

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: psh 3339448401 ack 2173103073

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: ack 3339448967

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: psh 2173103073 ack 3339448967

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: psh 2173104521 ack 3339448967

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: psh 2173105969 ack 3339448967

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: psh 2173107169 ack 3339448967

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: ack 2173107907

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: psh 3339448967 ack 2173107907

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: fin 3339448991 ack 2173107907

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: ack 3339448991

### --- Session is reinitiated by the client, as fortinet[.]com has NOT HSTS, it changes to HTTP (TCP/80), source port 58898 --- ###

port2 in 10.186.12.136.58898 -> 54.177.212.176.80: syn 3937411356

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: fin 2173107907 ack 3339448992

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: ack 2173107908

out 54.177.212.176.80 -> 10.186.12.136.58898: syn 1693195996 ack 3937411357

port2 in 10.186.12.136.58898 -> 54.177.212.176.80: ack 1693195997

port2 in 10.186.12.136.58898 -> 54.177.212.176.80: psh 3937411357 ack 1693195997

port2 out 54.177.212.176.80 -> 10.186.12.136.58898: psh 1693195997 ack 3937411774

port2 out 54.177.212.176.80 -> 10.186.12.136.58898: psh 1693197445 ack 3937411774

port2 out 54.177.212.176.80 -> 10.186.12.136.58898: psh 1693198893 ack 3937411774

port2 out 54.177.212.176.80 -> 10.186.12.136.58898: psh fin 1693200341 ack 3937411774

port2 in 10.186.12.136.58898 -> 54.177.212.176.80: ack 1693197445

port2 in 10.186.12.136.58898 -> 54.177.212.176.80: ack 1693198893

port2 in 10.186.12.136.58898 -> 54.177.212.176.80: ack 1693200341

port2 in 10.186.12.136.58898 -> 54.177.212.176.80: fin 3937411774 ack 1693201142

port2 out 54.177.212.176.80 -> 10.186.12.136.58898: ack 3937411775

HSTS is a mechanism to protect websites against attacks like Man-in-the-Middle. It forces the use of HTTPS.

More information is available in the following documents:

With HSTS, there is a specific parameter named 'preload'. Webmasters can ask to list their website/subdomains on a specific list. That list ensures that browsers connect to the domains in the list only via secure connections (HTTPS).

While the service is hosted by Google, all browsers use this preload list.

The following link can be used to check the status of HSTS for different sites:

wikipedia[.]org used the preloaded parameter in HSTS, while fortinet[.]com does not.

How HSTS can generate this certificate issue:

Redirection for Fortinet[.]com is done through HTTP; the replacement page is reached. There is no certificate involved.

Redirection for Wikipedia[.]org is done through HTTPS, because the website has the 'preload' parameter. To visit the hosted replacement message, the browser is forced to use HTTPS (which involves a certificate), and because the certificate that FortiGate does not match the CN of the blocked website, the browser displays a certificate issue message.

This behavior is not directly related to the FortiGate; with this, it is understandable why and how some blocked sites can display the replacement message, and others not.

There is still one point to be clarified:

How is the initial HTTPS request (TCP/443) transformed into an HTTP request (TCP/80)?

It happens through an HTTP 3xx response:

Site without HSTS:

The request URL is https://fortinet.com.
The server answers to this request with HTTP 307 (Temporary Redirect).
In that answer, the 'location' is set to http://fortinet.com (TCP/80).
The browser is redirected, and it displays the replacement page.

Site with HSTS:

The request URL is https://wikipedia.org (TCP/443).
The second request redirects to http://wikipedia.org (TCP/80).
As Wikipedia is HSTS, the browser forces HTTPS.
The replacement page cannot be displayed as the certificate does not match the URL.

There are different actions that can be undertaken to mitigate or resolve this behavior.
If certificates are already in use in your environment, it is possible to use the internal CA to sign these replacement pages:
Technical Tip: How to use custom certificate for FortiGate Block pages

See this article for more details on how to resolve this error: Technical Tip: Web Filtering certificate warning.

Technical Tip: Understanding why certain websites generate a certificate issue with Web Filter enable

Description

Scope

Solution

You are leaving our website