|
Scenario1.
When the traffic is specifically dropped by an explicit proxy policy configured with action set as DENY.
# config firewall policy
edit <policy-id>
set type explicit-web
set name "proxy-policy"
set explicit-web-proxy "web-proxy"
set dstintf "port1"
set srcaddr "192.168.10.1"
set dstaddr "1.179.170.7"
set schedule "always"
set service "webproxy"
set logtraffic disable
next
end
Here the replacement message seen would have the certificate as per the default certificate inspection profile which gets applied by default.
As such the certificate used would be Fortinet_CA_SSL certificate.
To have a custom certificate presented, change the ssl-ssh-inspection profile for the DENY policy.
The ssl-ssh-profile should be using the custom certificate in its profile.
# config firewall policy
edit <policy-id>
set ssl-ssh-profile "custom-inspection-profile"
next
end
Note.
Setting the ssl-ssh-profile has to be done from cli, as of 2.0.7 it cannot be set from GUI.
Scenario2.
When there is no explicit proxy policy allowing the connection through the
Fortiproxy and the Implicit Deny rule drops the traffic.
When traffic gets dropped by implicit deny policy the certificate set against ssl-ca-cert under config web-proxy global would be used when https replacement message needs to be displayed.
By default, it would have the Fortinet_CA_SSL certificate set.
The implicit deny policy cannot be modified.
If a custom certificate needs to be used for the replacement message, the corresponding certificate needs to be set against ssl-ca-cert as below:
# config web-proxy global
set ssl-ca-cert "custom-ssl-cert"
end
Scenario3.
In cases where there is no need for a replacement message the same can be disabled using the below:
# config web-proxy global
set https-replacement-message enable
end
Disabling HTTPS replacement messages is helpful to avoid certificate errors when access is blocked/denied.
Note that when the replacement message is disabled, the user will not get any message on their browser when access is blocked.
|
