FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
Article Id 203563

This article explains the various scenarios involved where fortiproxy would be required to present a replacement message after blocking the HTTPS traffic.




When the traffic is specifically dropped by an explicit proxy policy configured with action set as DENY.


# config firewall policy
    edit <policy-id>
        set type explicit-web
        set name "proxy-policy"
        set explicit-web-proxy "web-proxy"
        set dstintf "port1"
        set srcaddr ""
        set dstaddr ""
        set schedule "always"
        set service "webproxy"
        set logtraffic disable


Here the replacement message seen would have the certificate as per the default certificate inspection profile which gets applied by default.


As such the certificate used would be Fortinet_CA_SSL certificate.


To have a custom certificate presented,  change the ssl-ssh-inspection profile for the DENY policy.

The ssl-ssh-profile should be using the custom certificate in its profile.


# config firewall policy
    edit <policy-id>
        set ssl-ssh-profile "custom-inspection-profile"




Setting the ssl-ssh-profile has to be done from cli, as of 2.0.7 it cannot be set from GUI.




When there is no explicit proxy policy allowing the connection through the
Fortiproxy and the Implicit Deny rule drops the traffic.


When traffic gets dropped by implicit deny policy the certificate set against ssl-ca-cert under config web-proxy global would be used when https replacement message needs to be displayed.


By default, it would have the Fortinet_CA_SSL certificate set.


The implicit deny policy cannot be modified.

If a custom certificate needs to be used for the replacement message, the corresponding certificate needs to be set against ssl-ca-cert as below:


# config web-proxy global
    set ssl-ca-cert "custom-ssl-cert"




In cases where there is no need for a replacement message the same can be disabled using the below:


# config web-proxy global

    set https-replacement-message enable



Disabling HTTPS replacement messages is helpful to avoid certificate errors when access is blocked/denied.


Note that when the replacement message is disabled, the user will not get any message on their browser when access is blocked.