Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
adder666
New Contributor

Some .gov sites blocked, others are not?

I'm a novice with this, but I have web filters enabled and still having trouble reaching a few government sites, for example www.pittsburghca.gov. But others, like [link]https://www.dmv.ca.gov[/link] work fine. I've explicitly allowed the blocked sites and still same error:

 

This Connection is Invalid. SSL certificate expired.

A secure connection to www.pittsburgca.gov cannot be established.

When you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.

Sitewww.pittsburgca.govCertificate CNsan-g2.granicusgovaccess.netCertificate AuthorityR3Certificate Validity Not Before: Sep 20 16:46:45 2021 GMT Not After: Dec 19 16:46:44 2021 GMT

 

What am I missing? And remember, I'm a real novice with the Fortinet equipment (new job, this is what they had in place) so explain to me like I'm a 5 year old. It's a Fortigate 100E with firmware v7.0.1 build0157 (GA). Thanks!

33 REPLIES 33
tuanccs

workaround 1 worked after upgrade fortigate to 6.4.7 from 6.2.9

 

Tuan

frank0957

workaround 1 worked on v7.0.1. And wait for users final confirmation tmr mroning

 

Zunk
New Contributor

OK, so I'm a GUI person.

If you are a GUI person, here is the solution.

Security Profiles -> DNS Filter -> Select the filter you want and click the "Edit" button

Under "Domain Filter" click "Create New"

In the resulting dialog box, fill in the Domain with: identrust.com

Click "OK"

(You just created a filter to block identrust.com)

There is still junk in the cache, so it won't work until you clear the cache.

But you're a GUI person, and that's complicated. So reboot.

Upper right corner -> Admin -> System -> Reboot

You are done.

Toshi Esumi, thank you for your help!

 

Toshi_Esumi
Esteemed Contributor II

Yesterday's 7.0.3 release didn't include the fix went into 6.2.10. So I guess it needs to wait until 7.0.4.