When the webfilter profile is triggered and a connection to a destination server is blocked, FortiGate typically provides a replacement message in the browser similar to the following, depending on configuration:
FortiGate achieves this by modifying the data content and 'injecting' the message into the original client session. See the relevant FortiGate cookbook section for more information about replacement messages.
However, if the web request was made through the HTTPS protocol and only a certificate-inspection SSL profile is configured, 'Your connection is not private' warning may appear instead of the intended replacement message:
This occurs because one of the goals of the HTTPS protocol is to ensure data integrity to clients. Since the FortiGate modifies the data content to inject the replacement message, the server certificate needs to be signed again with the CA certificate selected in the certificate-inspection profile:
To resolve this issue, select the Download button and import the downloaded CA certificate as a trusted CA in the browser being used.
The exact steps to import a certificate vary depending on the browser or application. Refer to the browser documentation.