FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 250501

This article explains an issue where an intended webfilter replacement message instead shows as a 'Your connection is not private' warning. A solution is provided.

Scope Any supported version of FortiGate.

When the web filter profile is triggered and a connection to a destination server is blocked, FortiGate typically provides a replacement message in the browser similar to the following, depending on configuration.


Webfiltering features warning/authenticate can only work with deep inspection because FortiGate has to terminate the SSL connection to send back warning/authenticate pages.

web filtering features warning/authenticate relies on redirecting to a FortiGate page (replacement message) which means we need to interrupt the SSL connection to allow the redirect.




FortiGate achieves this by modifying the data content and 'injecting' the message into the original client session. See the relevant FortiGate cookbook section for more information about replacement messages.


However, if the web request was made through the HTTPS protocol and only a certificate-inspection SSL profile is configured, the 'Your connection is not private' warning may appear instead of the intended replacement message:



This occurs because one of the goals of the HTTPS protocol is to ensure data integrity to clients. Since FortiGate modifies the data content to inject the replacement message, the server certificate needs to be signed again with the CA certificate selected in the certificate-inspection profile:




To resolve this issue, select the Download button and import the downloaded CA certificate as a trusted CA in the browser being used.


The exact steps to import a certificate vary depending on the browser or application. Refer to the browser documentation.