Hello all. Web filtering with Full SSL Inspection, we've deployed the FW default certificate to end user PCs and for the most part inspection runs without a hitch. Sometimes however we get a cert error like the one I've attached (I was testing to make sure the FW completely kills UltraSurf). The certificate says it's from *.fortinet.com when it should say it's from "ultrasurf.us" or whichever website the user was trying to get to in the first place. Why does this happen? I'd appreciate any guidance you can offer.
There are some web servers which don't let you decrypt the traffic. You can verify it by accessing the same URL using Edge or IE, they don't support HKPK (HTTP public key pinning). You can force users to use web browser which don't support this feature or add the URL to the exemption list
You said you want to block ultrasurf.us right? So basically the Fortigate is trying to show the Blocked Page which of course would have the Fortinet certificate but the browser is expecting ultrasurf
hubertzw wrote:Thanks for the reply. I hadn't considered HPKP. I did try it in other browsers but it failed there as well. We also had a user encounter this problem with www.youtube.com and I'm assuming they allow us to decrypt.There are some web servers which don't let you decrypt the traffic. You can verify it by accessing the same URL using Edge or IE, they don't support HKPK (HTTP public key pinning). You can force users to use web browser which don't support this feature or add the URL to the exemption list
You said you tested it with different browser. Do you see the same error? Do you have Fortinet CA uploaded to all Internet browsers? Firefox and Chrome have different locations.
I've tried it with both the default cert shipped with the FW (which has been deployed to the PCs via GPO, and in Firefox's own store). I also used a cert from our internal enterprise CA which was already trusted by all our domain joined PCs. My following tests will be using the enterprise CA cert which also works. My test at the moment is going to Google and searching for "gambling websites" and "porn websites" since I know it should block these. I then try to browse to them. I've done that across all the browsers available: Chrome, Firefox, Edge, IE. My observations thus far:
[ul]Probably you do full inspection with Fortinet CA, the only problem is why it can't generate correct copy of the original server certificate. If you see once internal CA certificate and sometimes the internal CA it means you have 2 polices, is that correct?
HPKP is supported by some web servers, the feature is not commonly implemented.
Use curl with the "-v" and look at the cert issuer or the . HTTPS lock in your browsers. If the issuer and web-server cert are showing fortinet for the issues or what ever is in your . rootCA CN that means the fortinet is MiTM. Now if the web-server cert is showing "cn=*.fortinet.com" you have something else going on.
if you get in front of the FGT what does the website cert show ? is it trusted and all intermediate certs are present ?
HTTP pinning is a issue but in reality it's being phased out in the internet community. You can check for original website and any Pining in the server responses. I would be very doubtful a porn web-site is using http key pining fwiw.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
emnoc wrote:Thanks for your reply, emnoc. Getting from behind the FGT will be a little tricky but I can do that and get back to you. It usually does result in fully trusted cert chain whenever I disable SSL inspection on my test rule and of course, the website can be freely visited. I'll attach a pic showing the HTTPS info as requested. Please let me know if anything else will help you help me.Use curl with the "-v" and look at the cert issuer or the . HTTPS lock in your browsers. If the issuer and web-server cert are showing fortinet for the issues or what ever is in your . rootCA CN that means the fortinet is MiTM. Now if the web-server cert is showing "cn=*.fortinet.com" you have something else going on.
if you get in front of the FGT what does the website cert show ? is it trusted and all intermediate certs are present ?
HTTP pinning is a issue but in reality it's being phased out in the internet community. You can check for original website and any Pining in the server responses. I would be very doubtful a porn web-site is using http key pining fwiw.
Another weird thing: I realize all my attempts that fail in this manner are trying to go to a 208.91.112.55 IP address. In fact, when I use nslookup on ultrasurf.us or rarbg.to or thepiratebay.org they all return that IP address. Curious since our DNS server doesn't have a specific entry for that IP address.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.