Would someone be able to advise how to allow guest devices to use the web filtering without there being SSL inspection? I am unable to add any certificate onto the device but would like webpages to be blocked based on the web filtering policies. At the moment, the firewall is showing its certificate so the device doesn't trust the local certificate so brings an error before the web filtering block page is shown.
I am utilising a separate VDOM for the guest system so it doesn't interfere with Internal use where we would utilise a trusted certificate for web filtering but unfortunately not possible in this case.
I didn't have an issue with this on version 6.2.5 but having the issue on 6.4.6.
I've attached my current configuration via the GUI. The issue seems to be that the FortiGate replaces the site certificate with its own when going to a blocked page. So if I press continue it goes to the block page but then it seems to allow the block website from then on. I know I can't do deep packet inspection with Guest devices but that's not my intention. I just want basic web filtering available without the FortiGate interfering with its own local certificate.
I have tried Allowing all Invalid SSL certificates and Disabled the SNI check but still get the following error:
'This website may be impersonating "888.com" [Gambling] to steal your personal financial information. You should go back to the previous page.'
Testing using an iOS device.
Viewing the certificate you can see *.888.com but its being issued by the FortiGate so its re-associating the 888.com site certificate with its own which is why its not trusted. This only occurs when trying to access a blocked site and being redirected to the standard block page, not on any sites which are allowed via the web filtering.
you would probably have to get a server and sub-CA certificate signed by a public, trusted CA (such as Let's Encrypt) for your setup, and set those as FortiGate's server certificate and in the ssl inspection profile.
Thanks Debbie, I will look into the Let's Encrypt option. Also from reading it looks like I could just disable the HTTPs page #https-replacement-message disable which stops the error but won't actually show the block page so removes one issue but creates another.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.