Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
metz_FTNT
Staff
Staff

Created on ‎03-28-2023 01:14 AM Edited on ‎08-07-2025 01:19 PM By Staff

Article Id 250501

Troubleshooting Tip: Webfilter replacement message is replaced with 'Your connection is not private' HTTPS warning

Description

 

This article explains an issue where an intended web filter replacement message instead shows as a 'Your connection is not private' warning.

A solution is provided. Note that this solution does not apply to HSTS traffic, where the block message cannot be displayed (in any case).

 

Scope

 

Any supported version of FortiGate.

 

Solution

 

When the web filter profile is triggered and a connection to a destination server is blocked, FortiGate typically provides a replacement message in the browser similar to the following, depending on the configuration.

 

Web filtering warning/authenticate features can only work with deep inspection because FortiGate has to terminate the SSL connection to send back warning/authenticate pages. The web filtering warning/authenticate feature relies on redirecting to a FortiGate page (replacement message), which means it is necessary to interrupt the SSL connection to allow the redirect.

 

replace_msg.png

 

FortiGate achieves this by modifying the data content and 'injecting' the message into the original client session. See the Replacement messages for more information about replacement messages.

 

However, if the web request was made through the HTTPS protocol and only a certificate-inspection SSL profile is configured, the 'Your connection is not private' warning may appear instead of the intended replacement message:

 

CA.png

This occurs because one of the goals of the HTTPS protocol is to ensure data integrity for clients. Since FortiGate modifies the data content to inject the replacement message, the server certificate needs to be signed again with the CA certificate selected in the certificate-inspection profile:

 

Screenshot_2023-03-28_09-59-41.png


There are two options to resolve this issue. It is possible to import the FortiGate CA certificate to be a trusted CA inside the user's PC. See this article for steps: Technical Tip: How to import a FortiGate deep SSL certificate in the system.

If certificates are already in use in the AD environment, it may be more convenient to use an already trusted CA to sign the block page certificate.


To configure this, follow this article: How to use custom certificate for FortiGate Block pages.

 

There is also another workaround is to disable the HTTPS replacement message using the following command, and the browser will prompt the 'The connection was reset' page instead to the end user.

config webfilter profile
    edit <webfilter_prodile>
        set https-replacemsg disable
end

Screenshot 2025-03-08 140106.png

 

Related article:
Technical Tip: Disabling HTTPS replacement messages for explicit web-proxy traffic

9131
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.