Description
This article explains an issue where an intended webfilter replacement message instead shows as a 'Your connection is not private' warning.
A solution is provided. Note that this solution does not apply for HSTS traffic, where the block message cannot be displayed (in any case).
Scope
Any supported version of FortiGate.
Solution
When the web filter profile is triggered and a connection to a destination server is blocked, FortiGate typically provides a replacement message in the browser similar to the following, depending on configuration.
Web filtering warning/authenticate features can only work with deep inspection because FortiGate has to terminate the SSL connection to send back warning/authenticate pages. The web filtering warning/authenticate feature relies on redirecting to a FortiGate page (replacement message) which means we need to interrupt the SSL connection to allow the redirect.
FortiGate achieves this by modifying the data content and 'injecting' the message into the original client session. See the relevant FortiGate cookbook section for more information about replacement messages.
However, if the web request was made through the HTTPS protocol and only a certificate-inspection SSL profile is configured, the 'Your connection is not private' warning may appear instead of the intended replacement message:
This occurs because one of the goals of the HTTPS protocol is to ensure data integrity to clients. Since FortiGate modifies the data content to inject the replacement message, the server certificate needs to be signed again with the CA certificate selected in the certificate-inspection profile:
To resolve this issue, select the Download button and import the downloaded CA certificate as a trusted CA in the browser being used.
The exact steps to import a certificate vary depending on the browser or application. Refer to the browser documentation.
