Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
Sachin_Alex_Cherian_
Staff
Staff

Created on ‎01-24-2022 06:42 AM Edited on ‎08-05-2024 01:12 AM By Community Manager

Article Id 203563

Technical Tip: FortiProxy and certificate used for replacement messages for https deny traffic

Description

This article explains the various scenarios involved where fortiproxy would be required to present a replacement message after blocking the HTTPS traffic.
Scope FortiProxy.
Solution

Scenario1:

When the traffic is specifically dropped by an explicit proxy policy configured with action set as DENY.

 

config firewall policy
    edit <policy-id>
        set type explicit-web
        set name "proxy-policy"
        set explicit-web-proxy "web-proxy"
        set dstintf "port1"
        set srcaddr "192.168.10.1"
        set dstaddr "1.179.170.7"
        set schedule "always"
        set service "webproxy"
        set logtraffic disable
    next
end

 

Here the replacement message seen would have the certificate as per the default certificate inspection profile which gets applied by default.

 

As such the certificate used would be the Fortinet_CA_SSL certificate.

 

To have a custom certificate presented,  change the ssl-ssh-inspection profile for the DENY policy. The ssl-ssh-profile should be using the custom certificate in its profile.

 

config firewall policy
    edit <policy-id>
        set ssl-ssh-profile "custom-inspection-profile"
    next

end

 

Scenario2:

When there is no explicit proxy policy allowing the connection through the FortiProxy the Implicit Deny rule drops the traffic.

 

When traffic gets dropped by implicit deny policy the certificate set against ssl-ca-cert under config web-proxy global would be used when HTTPS replacement message needs to be displayed.

 

By default, it would have the Fortinet_CA_SSL certificate set.

 

The implicit deny policy cannot be modified. If a custom certificate needs to be used for the replacement message, the corresponding certificate needs to be set against ssl-ca-cert as below:

 

config web-proxy global
    set ssl-ca-cert "custom-ssl-cert"
end

 

Scenario3:

In cases where there is no need for a replacement message the same can be disabled using the below:

 

config web-proxy global

    set https-replacement-message enable

end

 

Disabling HTTPS replacement messages is helpful to avoid certificate errors when access is blocked/denied.

 

Note that when the replacement message is disabled, the user will not get any message on their browser when access is blocked.

 

Scenario4:

When traffic matches a specified explicit proxy policy configured, a security profile, such as a web filter profile or application control, prevents the connection. In such a case, the certificate used to send the replacement message would be the one seen in the ssl-ssh-inspection profile (i.e., the cert/deep inspection profile) applied to the same policy.

To avoid certificate errors, import the certificate as shown in the certificate/deep inspection profile or use a custom certificate signed by an internal CA to perform certificate/deep inspection. Another option would be to prevent the replacement message from being delivered to the user under the specified security profile.

 

conf webfilter profile
(profile) # edit default
(default) # set https-replacemsg enable/disable
(default) # end

 

conf application list
(list) # edit default
(default) # set app-replacemsg enable/disable
(default) # end

 

Labels:
3110
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.