Created on
03-28-2023
01:14 AM
Edited on
01-05-2025
10:33 PM
By
Jean-Philippe_P
Description
This article explains an issue where an intended web filter replacement message instead shows as a 'Your connection is not private' warning.
A solution is provided. Note that this solution does not apply to HSTS traffic, where the block message cannot be displayed (in any case).
Scope
Any supported version of FortiGate.
Solution
When the web filter profile is triggered and a connection to a destination server is blocked, FortiGate typically provides a replacement message in the browser similar to the following, depending on the configuration.
Web filtering warning/authenticate features can only work with deep inspection because FortiGate has to terminate the SSL connection to send back warning/authenticate pages. The web filtering warning/authenticate feature relies on redirecting to a FortiGate page (replacement message) which means it is necessary to interrupt the SSL connection to allow the redirect.
FortiGate achieves this by modifying the data content and 'injecting' the message into the original client session. See the relevant FortiGate cookbook section for more information about replacement messages.
However, if the web request was made through the HTTPS protocol and only a certificate-inspection SSL profile is configured, the 'Your connection is not private' warning may appear instead of the intended replacement message:
This occurs because one of the goals of the HTTPS protocol is to ensure data integrity to clients. Since FortiGate modifies the data content to inject the replacement message, the server certificate needs to be signed again with the CA certificate selected in the certificate-inspection profile:
There are two options to resolve this issue. It is possible to import the FortiGate CA certificate to be a trusted CA inside of the user's PC. See this article for steps: Technical Tip: How to import a FortiGate deep SSL certificate in the system.
If certificates are already in use in the AD environment, it may be more convenient to use an already trusted CA to sign the block page certificate.
To configure this, follow this article: How to use custom certificate for FortiGate Block pages.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.