This article explains why some websites, blocked by a Webfiler profile in combination with a SSL Inspection profile, generate a certificate issue in the client’s browser.
FortiGates running 6.0, 6.2, 6.4, 7.0, 7.2, 7.4.
While a firewall policy is configured with a Webfilter profile and a SSL Inspection profile, some blocked websites generate a certificate or security error while a replacement message was expected.
Firefox:
Chrome:
To understand this behavior, a sniffer will be run to underline the protocol used. A focus will also be made on the client’s browser.
In this scenario, the client IP is 10.186.12.136
------------------------------------- wikipedia[.]org sniffer -------------------------------------
dig wikipedia.org
;; ANSWER SECTION:
wikipedia.org. 0 IN A 185.15.58.224
diagnose sniffer packet any 'host 10.186.12.136 and net 185.0.0.0/8' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.186.12.136 and net 185.0.0.0/8]
### --- Initial session from the client, with source port 41332 --- ###
port2 in 10.186.12.136.41332 -> 185.15.58.224.443: syn 2168833988
port2 out 185.15.58.224.443 -> 10.186.12.136.41332: syn 914708084 ack 2168833989
port2 in 10.186.12.136.41332 -> 185.15.58.224.443: ack 914708085
port2 in 10.186.12.136.41332 -> 185.15.58.224.443: psh 2168833989 ack 914708085
port2 out 185.15.58.224.443 -> 10.186.12.136.41332: ack 2168834554
port2 out 185.15.58.224.443 -> 10.186.12.136.41332: psh 914708085 ack 2168834554
port2 out 185.15.58.224.443 -> 10.186.12.136.41332: psh 914709533 ack 2168834554
port2 out 185.15.58.224.443 -> 10.186.12.136.41332: psh 914710981 ack 2168834554
port2 in 10.186.12.136.41332 -> 185.15.58.224.443: ack 914709533
port2 in 10.186.12.136.41332 -> 185.15.58.224.443: ack 914710981
port2 in 10.186.12.136.41332 -> 185.15.58.224.443: ack 914711973
port2 in 10.186.12.136.41332 -> 185.15.58.224.443: psh 2168834554 ack 914711973
port2 in 10.186.12.136.41332 -> 185.15.58.224.443: fin 2168834584 ack 914711973
port2 out 185.15.58.224.443 -> 10.186.12.136.41332: ack 2168834584
port2 out 185.15.58.224.443 -> 10.186.12.136.41332: fin 914711973 ack 2168834584
port2 out 185.15.58.224.443 -> 10.186.12.136.41332: ack 2168834585
port2 in 10.186.12.136.41332 -> 185.15.58.224.443: ack 914711974
### --- Session is reinitiated by the client, as Wikipedia implements HSTS, it keeps using HTTPS (TCP/443), source port 41344 --- ###
port2 in 10.186.12.136.41344 -> 185.15.58.224.443: syn 3669304730
port2 out 185.15.58.224.443 -> 10.186.12.136.41344: syn 1472655661 ack 3669304731
port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472655662
port2 in 10.186.12.136.41344 -> 185.15.58.224.443: psh 3669304731 ack 1472655662
port2 out 185.15.58.224.443 -> 10.186.12.136.41344: ack 3669305328
port2 out 185.15.58.224.443 -> 10.186.12.136.41344: psh 1472655662 ack 3669305328
port2 out 185.15.58.224.443 -> 10.186.12.136.41344: psh 1472657110 ack 3669305328
port2 out 185.15.58.224.443 -> 10.186.12.136.41344: psh 1472658558 ack 3669305328
port2 out 185.15.58.224.443 -> 10.186.12.136.41344: psh 1472659476 ack 3669305328
port2 out 185.15.58.224.443 -> 10.186.12.136.41344: psh 1472659477 ack 3669305328
port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472657110
port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472658558
port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472659476
port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472659477
port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472659551
port2 in 10.186.12.136.41344 -> 185.15.58.224.443: psh 3669305328 ack 1472659551
port2 in 10.186.12.136.41344 -> 185.15.58.224.443: fin 3669305358 ack 1472659551
port2 out 185.15.58.224.443 -> 10.186.12.136.41344: ack 3669305358
port2 out 185.15.58.224.443 -> 10.186.12.136.41344: fin 1472659550 ack 3669305358
port2 in 10.186.12.136.41344 -> 185.15.58.224.443: ack 1472659551
------------------------------------- fortinet[.]com sniffer -------------------------------------
dig fortinet.com
;; ANSWER SECTION:
fortinet.com. 21102 IN A 54.177.212.176
fortinet.com. 21102 IN A 54.151.118.105
diagnose sniffer packet any 'host 10.186.12.136 and net 54.0.0.0/8' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.186.12.136 and net 54.0.0.0/8]
### --- Initial session from the client, with source port 33366 --- ###
port2 in 10.186.12.136.33366 -> 54.177.212.176.443: syn 3339447868
port2 out 54.177.212.176.443 -> 10.186.12.136.33366: syn 2173102973 ack 3339447869
port2 in 10.186.12.136.33366 -> 54.177.212.176.443: ack 2173102974
port2 in 10.186.12.136.33366 -> 54.177.212.176.443: psh 3339447869 ack 2173102974
port2 out 54.177.212.176.443 -> 10.186.12.136.33366: ack 3339448401
port2 out 54.177.212.176.443 -> 10.186.12.136.33366: psh 2173102974 ack 3339448401
port2 in 10.186.12.136.33366 -> 54.177.212.176.443: ack 2173103073
port2 in 10.186.12.136.33366 -> 54.177.212.176.443: psh 3339448401 ack 2173103073
port2 out 54.177.212.176.443 -> 10.186.12.136.33366: ack 3339448967
port2 out 54.177.212.176.443 -> 10.186.12.136.33366: psh 2173103073 ack 3339448967
port2 out 54.177.212.176.443 -> 10.186.12.136.33366: psh 2173104521 ack 3339448967
port2 out 54.177.212.176.443 -> 10.186.12.136.33366: psh 2173105969 ack 3339448967
port2 out 54.177.212.176.443 -> 10.186.12.136.33366: psh 2173107169 ack 3339448967
port2 in 10.186.12.136.33366 -> 54.177.212.176.443: ack 2173107907
port2 in 10.186.12.136.33366 -> 54.177.212.176.443: psh 3339448967 ack 2173107907
port2 in 10.186.12.136.33366 -> 54.177.212.176.443: fin 3339448991 ack 2173107907
port2 out 54.177.212.176.443 -> 10.186.12.136.33366: ack 3339448991
### --- Session is reinitiated by the client, as fortinet[.]com has NOT HSTS, it changes to HTTP (TCP/80), source port 58898 --- ###
port2 in 10.186.12.136.58898 -> 54.177.212.176.80: syn 3937411356
port2 out 54.177.212.176.443 -> 10.186.12.136.33366: fin 2173107907 ack 3339448992
port2 in 10.186.12.136.33366 -> 54.177.212.176.443: ack 2173107908
out 54.177.212.176.80 -> 10.186.12.136.58898: syn 1693195996 ack 3937411357
port2 in 10.186.12.136.58898 -> 54.177.212.176.80: ack 1693195997
port2 in 10.186.12.136.58898 -> 54.177.212.176.80: psh 3937411357 ack 1693195997
port2 out 54.177.212.176.80 -> 10.186.12.136.58898: psh 1693195997 ack 3937411774
port2 out 54.177.212.176.80 -> 10.186.12.136.58898: psh 1693197445 ack 3937411774
port2 out 54.177.212.176.80 -> 10.186.12.136.58898: psh 1693198893 ack 3937411774
port2 out 54.177.212.176.80 -> 10.186.12.136.58898: psh fin 1693200341 ack 3937411774
port2 in 10.186.12.136.58898 -> 54.177.212.176.80: ack 1693197445
port2 in 10.186.12.136.58898 -> 54.177.212.176.80: ack 1693198893
port2 in 10.186.12.136.58898 -> 54.177.212.176.80: ack 1693200341
port2 in 10.186.12.136.58898 -> 54.177.212.176.80: fin 3937411774 ack 1693201142
port2 out 54.177.212.176.80 -> 10.186.12.136.58898: ack 3937411775
HSTS is a mechanism to protect websites against attacks like Man-in-the-Middle. It forces the use of HTTPS.
More information is available in the following documents:
With HSTS, there is a specific parameter named 'preload'. Webmasters can ask to list their website/subdomains on a specific list. That list ensures that browsers connect to the domains in the list only via secure connections (HTTPS).
While the service is hosted by Google, all browsers are using this preload list.
The following link can be used to check the status of HSTS for different sites:
wikipedia[.]org used the preloaded parameter in HSTS, while fortinet[.]com does not.
How HSTS can generate this certificate issue:
By default, when a site is blocked by a Webfilter in the FortiGate, the connection is not really reset. The FortiGate replaces the IP of the blocked website with its own IP and redirects the client to a Webserver inside the FortiGate where the replacement messages are hosted.
This 'internal' website is reachable through HTTP (TCP/80) and HTTPS (TCP/443).
Redirection for Fortinet[.]com is done through HTTP; the replacement page is reached. There is no certificate involved.
Redirection for Wikipedia[.]org is done through HTTPS, because the website has the 'preload' parameter. To visit the hosted replacement message, the browser is forced to use HTTPS (which involves a certificate) and because the certificate the FortiGate does not match the CN of the blocked website, the browser displays a certificate issue message.
This behavior is not directly related to the FortiGate, with this it is understandable why and how some blocked sites can display the replacement message, and others not.
There is still one point to be clarified:
How is the initial HTTPS request (TCP/443) request transformed into a HTTP request (TCP/80) ?
It happens through a HTTP 3xx response:
Site without HSTS:
Site with HSTS:
There are different actions that can be undertaken to mitigate or resolve this behavior. See Technical Tip: Web Filtering certificate warning .
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.