Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Christian_89
Contributor III

Fortigate Webfilter

Hello, everyone

I have the following problem.
If I want to use a web filter (on a fortigate 101F with ver. 6.4.8) the http query works, but as soon as I want to use https I get the message err_cert_authority_invalid from various browsers.
She is concerned with the network for visitors who come to us at meetings.
Do I still have to adjust something in the SSL/SSH inspection? I use the default certificate inspection.
Thank you very much for your help.

4 REPLIES 4
AlexC-FTNT
Staff
Staff

err_cert_authority_invalid -- means that you have to check what certificate is presented to the users. If there is a deep-inspection profile used in FortiGate, the certificate used to sign the connection is self-signed by Fortigate (therefore not recognized). 

Now, if the webfilter is used with certificate-inspection only, it has no access to the decrypted data stream, but it needs to present the user a warning message that the page is blocked by webfilter. That message is also encrypted, but FG can't use the same certificate as the web site the client tried to access, so it will sign this stream with its own certificate. 

 

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/565000/preventing-certificate-warnings-d...


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Christian_89
Contributor III

Thank you for the information.
What exactly do I have to configure so that this message no longer comes?

AlexC-FTNT
Staff
Staff

You need to purchase a 3rd party signed SSL certificate (as the article linked above describes) and use it for the webfilter replacement message:
# config user setting
# set auth-ca-cert "new certificate name"

# end

 

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-avoid-certificate-error-when-using...

 


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Debbie_FTNT
Staff
Staff

In addition to what Alex mentioned - if the FortiGate is trying to present a block page (because the website belongs to a blocked category, for example) you should get a log message in the Web Filter section noting that something has been blocked.

Might be worth checking :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Labels
Top Kudoed Authors