Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
EyponeDK
New Contributor

Block Page certificate error for Hotel guest's - no option to add Fortigate CA at endpoint.

Hi All,

 

I have a hotel as a customer, and we recently replaced their Firewall with a Fortigate.

The hotel is blocking certain web categories, but when the hotel guest is intercepted with the block page they get an certification error, but cannot continue to see why they were blocked!

 

EyponeDK_0-1690893628640.png

 

I think it was possible in previous version of Chromium based browser to click advanced an continue to see the block page.

 

I know how block pages is working when running full SSL inspection OR having the option to install the Fortigate CA to the client 'Trusted Root Certification Authorities' store.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Certificate-error-when-accessing-blocked-p...

 

The replaced Firewall was another brand, and was redirecting user to a specific Block Page.

This Block Page I was able to add a hostname and get a certificate from a public trusted CA.

 

Can something similar possible be done on a Fortigate, or how have you solved it ?

 

I can’t ask the staff at the hotel lobby to install the fortigate CA guest endpoint.

 

I hope someone have been in the same situation and solved it.

 

 

 

 

13 REPLIES 13
pgautam
Staff
Staff

 
The reason for that is, when a secured website is accessed (f.e. https://www.youtube.com) the Youtube certificate guarantees that the content of the website is safe (as it is signed by Certificate Authority that is trusted by the browser). However, when the firewall intercepts the SSL traffic to modify the content shown at https://www.youtube.com it will not be able to sign the modified content with the original CA as the firewall does not have a private key of the original CA. 
 
Therefore, the changed content (f.e. FortiGate replacement page) needs to be signed by own CA certificate and if the browser does not trust it, instead of replacement page, user will see the certificate error.
Solution
To remove the certificate error, there are two possibilities:
1) User will import FortiGate CA certificate into browsers 'Trusted Root Certification Authorities' store.
2) If there is a  CA certificate (including the private key) that is trusted in the network/domain (by browsers), it is possible to import it to the FortiGate and use it for the replacement messages.
 
Follow related articles to know how to import the CA certificate.
 
-> after the import to utilize this certificate for replacement page signing:
 
# config user setting
set auth-ca-cert <your_CA>
end
 
Related Articles
 
Technical Tip: How to import the CA certificate for full SSL inspection
 
Regards
 
Priyanka 
 
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

 

 

EyponeDK

Hi @pgautam and @smayank 

Thanks for your replies.

Can you please let me know if option 2, can be achieve with a public CA like Godday or Digicert ?

"2) If there is a  CA certificate (including the private key) that is trusted in the network/domain (by browsers), it is possible to import it to the FortiGate and use it for the replacement messages."

 

I can't find the post atm. but I blive MITM/ssl intercept can be done via a public cert!

 

 

 

 

pgautam

Hi @EyponeDK 

 

Please find the below link for importing the certificate in the FGT guide

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-import-the-CA-certificate-for-full-...

 

You can also generate CSR and get is signed by the trusted CA and import it to the FGT.

 

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/518006/using-a-ca-signed-certificate

 

Regards

Priyanka

 

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

EyponeDK

Hi @pgautam 

 

Can you please explain how this should be able with a PUBLIC CA ?

https://community.fortinet.com/t5/Support-Forum/quot-CA-TRUE-quot-certificate-for-deep-inspection-wh...

As i wrote i know how this works with an internal CA! 

I have tried to make er cert using CSR Request and then get sSSL.com to sign it, but it come back without "CA:TRUE"

I have imported the cert following this guide:
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/582401/generate-a-csr

 

For SSL inspection and Public CA please take a look at.

https://community.fortinet.com/t5/Support-Forum/Public-Signed-SSL-certificate-for-SSL-deep-inspectio...

 

ebilcari

No, the public CA will not allow/sign an intermediate CA (CA:TRUE) to be managed by the end customer.

Modern browsers and devices have added a mechanism to detect the portal and do the redirection automatically before the user tries to browse any https page. If the user start browsing a https page than the browser will prevent the redirection (except the case when they have the CA and you are doing SSL inspection).

So actually for guest devices you have to relay on portal detection ability of the end host device or instruct the users to search for a http page, like neverssl.com

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
EyponeDK

Hi Ebilcari,

 

Thanks for confirming a public CA can't be used.

 

What portal are you referring to when writing below ?
"Modern browsers and devices have added a mechanism to detect the portal and do the redirection automatically before the user tries to browse any https page."

And 
"So actually for guest devices you have to relay on portal detection ability of the end host device"

ebilcari

you can read how Mozilla does it for example: https://support.mozilla.org/en-US/kb/captive-portal
The browsers will try to initiate a plain HTTP request in background and in case of failure/portal detection it will offer the option to help with the redirection to the portal page:

httpsportal.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
EyponeDK

Okay.
How does this relate to "block pages" When the FG Intercepts SSL to a specific website ?

I guess the browser will see the session as allowed and traffic is not redirect to a captive portal ?

Can use the build in captive portal on FG, and get the FG to redirect on block instead of SSL intercepts ?

 

Thanks for taking your time to answer my question.

 

 

 

ebilcari

This portal detection will help only on page redirection when guest try to connect for the first time, It will not help in blocked pages redirections, that was misleading. 

 

For guests solutions, the SSL inspection is not doable. In this cases the DNS filter may help [Redirect Portal IP]: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/567703/fortiguard-category-b...

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors