Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Adam19892000
New Contributor II

Created on ‎03-07-2022 06:44 AM

Guest Devices certificate error via Web Filtering

Hi, 

 

Would someone be able to advise how to allow guest devices to use the web filtering without there being SSL inspection? I am unable to add any certificate onto the device but would like webpages to be blocked based on the web filtering policies. At the moment, the firewall is showing its certificate so the device doesn't trust the local certificate so brings an error before the web filtering block page is shown. 

 

I am utilising a separate VDOM for the guest system so it doesn't interfere with Internal use where we would utilise a trusted certificate for web filtering but unfortunately not possible in this case. 

 

I didn't have an issue with this on version 6.2.5 but having the issue on 6.4.6. 

 

Any help would be greatly appreciated. 

 

Adam

Labels:
10500
0 Kudos
12 REPLIES 12
naibaho
New Contributor III

Created on ‎03-07-2022 07:08 AM

Hi Adam19892000,

Maybe you can modify your SSL Inspection profile to allow Untrusted SSL certificates. Although, it is not good thing to do.

 

naibaho_0-1646665497978.png

best regard
best regard
8853
0 Kudos
Adam19892000
New Contributor II
In response to naibaho

Created on ‎03-07-2022 07:14 AM

Hi, 

 

I've attached my current configuration via the GUI. The issue seems to be that the FortiGate replaces the site certificate with its own when going to a blocked page. So if I press continue it goes to the block page but then it seems to allow the block website from then on. I know I can't do deep packet inspection with Guest devices but that's not my intention. I just want basic web filtering available without the FortiGate interfering with its own local certificate. 

 

Guest SSL Inspection.PNG

Thanks

Adam

8851
0 Kudos
naibaho
New Contributor III
In response to Adam19892000

Created on ‎03-07-2022 07:33 AM

Hi,

If you do not care with ssl inspection at all, you can modify your ssl profile to allow all certificate signiture, include Blocked certificate, Untrusted and Invalid.

best regard
best regard
8851
0 Kudos
Adam19892000
New Contributor II
In response to naibaho

Created on ‎03-07-2022 09:07 AM

I have tried Allowing all Invalid SSL certificates and Disabled the SNI check but still get the following error:

 

'This website may be impersonating "888.com" [Gambling] to steal your personal financial information. You should go back to the previous page.'

 

Testing using an iOS device. 

 

Viewing the certificate you can see *.888.com but its being issued by the FortiGate so its re-associating the 888.com site certificate with its own which is why its not trusted. This only occurs when trying to access a blocked site and being redirected to the standard block page, not on any sites which are allowed via the web filtering. 

 

Thanks

Adam

8841
0 Kudos
Debbie_FTNT
Staff
Staff
In response to Adam19892000

Created on ‎03-08-2022 03:09 AM

Hey Adam,

the issue is that FortiGate is trying to display a block page that it hosts itself when blocking webfilter traffic.

The block page will be using a FortiGate certificate, which is probably not going to be trusted, no matter what inspection is applied to the traffic that triggers the webfilter block action.

I'm not aware of any way to prevent the FortiGate from trying to display the block page.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
8800
0 Kudos
Adam19892000
New Contributor II
In response to Debbie_FTNT

Created on ‎03-08-2022 11:28 AM

Thanks Debbie. Is there a way I could change the certificate the FortiGate is using to one that would be trusted by browsers so it removes the certificate errors? 

8789
0 Kudos
Debbie_FTNT
Staff
Staff
In response to Adam19892000

Created on ‎03-10-2022 05:27 AM

Hey Adam,

you would probably have to get a server and sub-CA certificate signed by a public, trusted CA (such as Let's Encrypt) for your setup, and set those as FortiGate's server certificate and in the ssl inspection profile.

This is a good place to start:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/565000/preventing-certificate-warnings-d...

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
8734
0 Kudos
Adam19892000
New Contributor II
In response to Debbie_FTNT

Created on ‎03-14-2022 07:31 AM

Thanks Debbie, I will look into the Let's Encrypt option. Also from reading it looks like I could just disable the HTTPs page #https-replacement-message disable which stops the error but won't actually show the block page so removes one issue but creates another. 

 

Adam

8719
0 Kudos
Debbie_FTNT
Staff
Staff
In response to Adam19892000

Created on ‎03-14-2022 07:59 AM

Hey Adam,

if you disable the https replacement message, the browsers will (probably) instead complain that they are redirected to an HTTP page from an HTTPS connection, and refuse with a different error.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
8713
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.