FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
adecottignies_FTNT
Article Id 316289
Description

 

This article explains why some websites, blocked by a Webfiler profile in combination with a SSL Inspection profile, generate a certificate issue in the client’s browser.

 

Scope

 

 FortiGates running 6.0, 6.2, 6.4, 7.0, 7.2, 7.4.

 

Solution

 

While a firewall policy is configured with a Webfilter profile and a SSL Inspection profile, some blocked websites generate a certificate or security error while a replacement message was expected.

Firefox:

 

firefox_error_secure.png

 

Chrome:

 

chrome_error_secure.png

To understand this behavior, a sniffer will be run to underline the protocol used. A focus will also be made on the client’s browser.

In this scenario, the client IP is 10.186.12.136

 

------------------------------------- wikipedia[.]org sniffer -------------------------------------

dig wikipedia.org

;; ANSWER SECTION:

wikipedia.org.          0       IN      A       185.15.58.224

 

diagnose sniffer packet any 'host 10.186.12.136 and net 185.0.0.0/8' 4 0 l

Using Original Sniffing Mode

interfaces=[any]

filters=[host 10.186.12.136 and net 185.0.0.0/8]

 

### --- Initial session from the client, with source port 41332 --- ###
port2 in 10.186.12.136.41332 -> 185.15.58.224.443: syn 2168833988

port2 out 185.15.58.224.443 -> 10.186.12.136.41332: syn 914708084 ack 2168833989

port2 in 10.186.12.136.41332 -> 185.15.58.224.443: ack 914708085

port2 in 10.186.12.136.41332 -> 185.15.58.224.443: psh 2168833989 ack 914708085

port2 out 185.15.58.224.443 -> 10.186.12.136.41332: ack 2168834554

port2 out 185.15.58.224.443 -> 10.186.12.136.41332: psh 914708085 ack 2168834554

port2 out 185.15.58.224.443 -> 10.186.12.136.41332: psh 914709533 ack 2168834554

port2 out 185.15.58.224.443 -> 10.186.12.136.41332: psh 914710981 ack 2168834554

port2 in 10.186.12.136.41332 -> 185.15.58.224.443: ack 914709533

port2 in 10.186.12.136.41332 -> 185.15.58.224.443: ack 914710981

port2 in 10.186.12.136.41332 -> 185.15.58.224.443: ack 914711973

port2 in 10.186.12.136.41332 -> 185.15.58.224.443: psh 2168834554 ack 914711973

port2 in 10.186.12.136.41332 -> 185.15.58.224.443: fin 2168834584 ack 914711973

port2 out 185.15.58.224.443 -> 10.186.12.136.41332: ack 2168834584

port2 out 185.15.58.224.443 -> 10.186.12.136.41332: fin 914711973 ack 2168834584

port2 out 185.15.58.224.443 -> 10.186.12.136.41332: ack 2168834585

port2 in 10.186.12.136.41332 -> 185.15.58.224.443: ack 914711974

 

### --- Session is reinitiated by the client, as Wikipedia implements HSTS, it keeps using HTTPS (TCP/443), source port 41344 --- ###

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: syn 3669304730

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: syn 1472655661 ack 3669304731

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472655662

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: psh 3669304731 ack 1472655662

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: ack 3669305328

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: psh 1472655662 ack 3669305328

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: psh 1472657110 ack 3669305328

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: psh 1472658558 ack 3669305328

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: psh 1472659476 ack 3669305328

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: psh 1472659477 ack 3669305328

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472657110

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472658558

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472659476

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472659477

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472659551

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: psh 3669305328 ack 1472659551

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: fin 3669305358 ack 1472659551

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: ack 3669305358

port2 out 185.15.58.224.443 -> 10.186.12.136.41344: fin 1472659550 ack 3669305358

port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472659551

 

 

-------------------------------------  fortinet[.]com sniffer -------------------------------------

dig fortinet.com

;; ANSWER SECTION:

fortinet.com.             21102       IN      A       54.177.212.176
fortinet.com.             21102       IN      A       54.151.118.105

 

diagnose sniffer packet any 'host 10.186.12.136 and net 54.0.0.0/8' 4 0 l

Using Original Sniffing Mode

interfaces=[any]

filters=[host 10.186.12.136 and net 54.0.0.0/8]

### --- Initial session from the client, with source port 33366 --- ###

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: syn 3339447868

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: syn 2173102973 ack 3339447869

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: ack 2173102974

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: psh 3339447869 ack 2173102974

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: ack 3339448401

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: psh 2173102974 ack 3339448401

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: ack 2173103073

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: psh 3339448401 ack 2173103073

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: ack 3339448967

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: psh 2173103073 ack 3339448967

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: psh 2173104521 ack 3339448967

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: psh 2173105969 ack 3339448967

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: psh 2173107169 ack 3339448967

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: ack 2173107907

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: psh 3339448967 ack 2173107907

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: fin 3339448991 ack 2173107907

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: ack 3339448991

 

### --- Session is reinitiated by the client, as fortinet[.]com has NOT HSTS, it changes to HTTP (TCP/80), source port 58898 --- ###

port2 in 10.186.12.136.58898 -> 54.177.212.176.80: syn 3937411356

port2 out 54.177.212.176.443 -> 10.186.12.136.33366: fin 2173107907 ack 3339448992

port2 in 10.186.12.136.33366 -> 54.177.212.176.443: ack 2173107908

out 54.177.212.176.80 -> 10.186.12.136.58898: syn 1693195996 ack 3937411357

port2 in 10.186.12.136.58898 -> 54.177.212.176.80: ack 1693195997

port2 in 10.186.12.136.58898 -> 54.177.212.176.80: psh 3937411357 ack 1693195997

port2 out 54.177.212.176.80 -> 10.186.12.136.58898: psh 1693195997 ack 3937411774

port2 out 54.177.212.176.80 -> 10.186.12.136.58898: psh 1693197445 ack 3937411774

port2 out 54.177.212.176.80 -> 10.186.12.136.58898: psh 1693198893 ack 3937411774

port2 out 54.177.212.176.80 -> 10.186.12.136.58898: psh fin 1693200341 ack 3937411774

port2 in 10.186.12.136.58898 -> 54.177.212.176.80: ack 1693197445

port2 in 10.186.12.136.58898 -> 54.177.212.176.80: ack 1693198893

port2 in 10.186.12.136.58898 -> 54.177.212.176.80: ack 1693200341

port2 in 10.186.12.136.58898 -> 54.177.212.176.80: fin 3937411774 ack 1693201142

port2 out 54.177.212.176.80 -> 10.186.12.136.58898: ack 3937411775

 

HSTS is a mechanism to protect websites against attacks like Man-in-the-Middle. It forces the use of HTTPS.

More information is available in the following documents:

               

With HSTS, there is a specific parameter named 'preload'. Webmasters can ask to list their website/subdomains on a specific list. That list ensures that browsers connect to the domains in the list only via secure connections (HTTPS).

While the service is hosted by Google, all browsers are using this preload list.

 

The following link can be used to check the status of HSTS for different sites:

 

wikipedia[.]org used the preloaded parameter in HSTS, while fortinet[.]com does not.

 

How HSTS can generate this certificate issue:

 

By default, when a site is blocked by a Webfilter in the FortiGate, the connection is not really reset. The FortiGate replaces the IP of the blocked website with its own IP and redirects the client to a Webserver inside the FortiGate where the replacement messages are hosted.

 

This 'internal' website is reachable through HTTP (TCP/80) and HTTPS (TCP/443).

 

Redirection for Fortinet[.]com is done through HTTP; the replacement page is reached. There is no certificate involved.

Redirection for Wikipedia[.]org is done through HTTPS, because the website has the 'preload' parameter. To visit the hosted replacement message, the browser is forced to use HTTPS (which involves a certificate) and because the certificate the FortiGate does not match the CN of the blocked website, the browser displays a certificate issue message.

 

This behavior is not directly related to the FortiGate, with this it is understandable why and how some blocked sites can display the replacement message, and others not.

 

There is still one point to be clarified:

 

How is the initial HTTPS request (TCP/443) request transformed into a HTTP request (TCP/80) ?

It happens through a HTTP 3xx response:

 

http30x.png

 

Site without HSTS:

  1. The request URL is https://fortinet.com.
  2. The server answers to this request with HTTP 307 (Temporary Redirect).
  3. In that answer, the 'location' is set to http://fortinet.com (TCP/80).
  4. The browser is redirected, and it displays the replacement page.

HSTS_307_broswer.png

 

Site with HSTS:

  1. The request URL is https://wikipedia.org (TCP/443).
  2. The second request redirects to http://wikipedia.org (TCP/80).
  3. As Wikipedia is HSTS the browser forces the HTTPS.
  4. The replacement page cannot be displayed as certificate does not match the URL

HSTS_307_broswer_2.png

HSTS_307_broswer_3.png

 

There are different actions that can be undertaken to mitigate or resolve this behavior. See Technical Tip: Web Filtering certificate warning .