Hi All,
I have a hotel as a customer, and we recently replaced their Firewall with a Fortigate.
The hotel is blocking certain web categories, but when the hotel guest is intercepted with the block page they get an certification error, but cannot continue to see why they were blocked!
I think it was possible in previous version of Chromium based browser to click advanced an continue to see the block page.
I know how block pages is working when running full SSL inspection OR having the option to install the Fortigate CA to the client 'Trusted Root Certification Authorities' store.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Certificate-error-when-accessing-blocked-p...
The replaced Firewall was another brand, and was redirecting user to a specific Block Page.
This Block Page I was able to add a hostname and get a certificate from a public trusted CA.
Can something similar possible be done on a Fortigate, or how have you solved it ?
I can’t ask the staff at the hotel lobby to install the fortigate CA guest endpoint.
I hope someone have been in the same situation and solved it.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Thanks for your replies.
Can you please let me know if option 2, can be achieve with a public CA like Godday or Digicert ?
"2) If there is a CA certificate (including the private key) that is trusted in the network/domain (by browsers), it is possible to import it to the FortiGate and use it for the replacement messages."
I can't find the post atm. but I blive MITM/ssl intercept can be done via a public cert!
Hi @EyponeDK
Please find the below link for importing the certificate in the FGT guide
You can also generate CSR and get is signed by the trusted CA and import it to the FGT.
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/518006/using-a-ca-signed-certificate
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Hi @pgautam
Can you please explain how this should be able with a PUBLIC CA ?
As i wrote i know how this works with an internal CA!
I have tried to make er cert using CSR Request and then get sSSL.com to sign it, but it come back without "CA:TRUE"
I have imported the cert following this guide:
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/582401/generate-a-csr
For SSL inspection and Public CA please take a look at.
No, the public CA will not allow/sign an intermediate CA (CA:TRUE) to be managed by the end customer.
Modern browsers and devices have added a mechanism to detect the portal and do the redirection automatically before the user tries to browse any https page. If the user start browsing a https page than the browser will prevent the redirection (except the case when they have the CA and you are doing SSL inspection).
So actually for guest devices you have to relay on portal detection ability of the end host device or instruct the users to search for a http page, like neverssl.com
Hi Ebilcari,
Thanks for confirming a public CA can't be used.
What portal are you referring to when writing below ?
"Modern browsers and devices have added a mechanism to detect the portal and do the redirection automatically before the user tries to browse any https page."
And
"So actually for guest devices you have to relay on portal detection ability of the end host device"
Created on 08-08-2023 02:04 AM Edited on 08-08-2023 02:05 AM
you can read how Mozilla does it for example: https://support.mozilla.org/en-US/kb/captive-portal
The browsers will try to initiate a plain HTTP request in background and in case of failure/portal detection it will offer the option to help with the redirection to the portal page:
Okay.
How does this relate to "block pages" When the FG Intercepts SSL to a specific website ?
I guess the browser will see the session as allowed and traffic is not redirect to a captive portal ?
Can use the build in captive portal on FG, and get the FG to redirect on block instead of SSL intercepts ?
Thanks for taking your time to answer my question.
This portal detection will help only on page redirection when guest try to connect for the first time, It will not help in blocked pages redirections, that was misleading.
For guests solutions, the SSL inspection is not doable. In this cases the DNS filter may help [Redirect Portal IP]: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/567703/fortiguard-category-b...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.