Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
buntha
New Contributor

Block Https with Web Filtering & SSL/SSH Inspection Error

Dear Everyone!!

I am use Fortigate 300c i want to block youtube with https://youtube.com & https://facebook.com

but i after enable webfiltering with ssl/ssh inspection cannot use some websites with https://gmail.com

yahoo.com, it's show message error certificate. like this image bellow. 

show have any solution for fix it.

Thank!!!!!

8 REPLIES 8
lunhas2k4
New Contributor II

Hi,

Which version of the fortiOS are you using?

 

On the 5.2.2 you can solve this issue in two ways:

 

1- Install the fortigate certificate on all the machines in you network, you can achieve that with a GPO. You appear to be using the proxy version of the webfiltering and the "full-certificate inspection" profile on the ssh-ssl inspection.

2- Change the webfilter from proxy to flow-based and set the ssl and ssh inspection as "certificate-inspection". If you are using application control as well do not set the full-inspection on it as well.

 

Let us know how it goes.

 

Carlitos loves firewalls

NSE4 (5.4,6.0)

NSE5 (Fortimanager 6.0, Fortianalyzer 6.0)

NSE7 (Enterprise Firewall 6.0)

Carlitos loves firewalls NSE4 (5.4,6.0) NSE5 (Fortimanager 6.0, Fortianalyzer 6.0) NSE7 (Enterprise Firewall 6.0)
SteveRoadWarrior
New Contributor III

If you aren't ready for 5.2 yet, you can resolve this by editing the Web Filter policy:

 

in the attached picture we excluded filtering for *.dropbox.com

You can add the other sites as well.

 

However, from what I'm seeing in your post you didn't deploy the SSL Cert through group policy properly.  See the first post.

You should only be having issues with apps which aren't using the native windows(OS) SSL cert repository.

buntha
New Contributor

I am sorry for late reply.

Now i am using version 5.0 if version 5.2 can resolve this problem then i will upgrade firmware version to 5.2 and i will following your instruction temporary after completed upgrade to v5.2.

Thank !!!!!

kubimike
New Contributor III

get openSSl create a certificate, install it on all the PCs. Install the certificate on the FG. Configure Transparent proxy, use Proxy-based on the outbound policy, under protocol options pick the proxy you created. on SSL inspection select custom deep inspection

SteveRoadWarrior
New Contributor III

save your 5.0 config first in case you need to go back to it

be careful that upgrading doesn't make your internet access stop working

be prepared to go back to 5.0 if that happens

buntha
New Contributor

Thank for advice, i will backup configuration after upgrade to version 5.2, 

I have one Question if i upgrade by internet and upgrade by TFTP, which one is the best way for me.

Now In Transparent Mode have only WebFiltering and Email Filtering that can update but other feature not update is Unreachable.

Thank!!!!!!

lunhas2k4
New Contributor II

I prefer to always upgrade by tftp. Should the internet connection not be it at its best, the better option is to have the file you need locally in your machine and then upgrade. And like was mentioned before make sure you backup your configuration. 

Also have a look at the upgrade path. I usually take a full backup config at every step of the update path to the desired destination.

Carlitos loves firewalls

NSE4 (5.4,6.0)

NSE5 (Fortimanager 6.0, Fortianalyzer 6.0)

NSE7 (Enterprise Firewall 6.0)

Carlitos loves firewalls NSE4 (5.4,6.0) NSE5 (Fortimanager 6.0, Fortianalyzer 6.0) NSE7 (Enterprise Firewall 6.0)
Luis_Pereira
New Contributor

Hello!

 

If you only want to block those specific domains there's no need to enable SSL/SSH inspection, when it's enabled the firewall will be placing it's self signed certificate in the middle of the request, so the trusted CA of the website will no longer be handling the encryption.

 

That warning is because the browser catch it as attempt of MITM attack, you can try to download and manually install the self signed CA.

 

You can read more about SSL/SSH inspection here.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors