Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Adam19892000
New Contributor II

Guest Devices certificate error via Web Filtering

Hi, 

 

Would someone be able to advise how to allow guest devices to use the web filtering without there being SSL inspection? I am unable to add any certificate onto the device but would like webpages to be blocked based on the web filtering policies. At the moment, the firewall is showing its certificate so the device doesn't trust the local certificate so brings an error before the web filtering block page is shown. 

 

I am utilising a separate VDOM for the guest system so it doesn't interfere with Internal use where we would utilise a trusted certificate for web filtering but unfortunately not possible in this case. 

 

I didn't have an issue with this on version 6.2.5 but having the issue on 6.4.6. 

 

Any help would be greatly appreciated. 

 

Adam

12 REPLIES 12
naibaho
New Contributor III

Hi Adam19892000,

Maybe you can modify your SSL Inspection profile to allow Untrusted SSL certificates. Although, it is not good thing to do.

 

naibaho_0-1646665497978.png

best regard
best regard
Adam19892000

Hi, 

 

I've attached my current configuration via the GUI. The issue seems to be that the FortiGate replaces the site certificate with its own when going to a blocked page. So if I press continue it goes to the block page but then it seems to allow the block website from then on. I know I can't do deep packet inspection with Guest devices but that's not my intention. I just want basic web filtering available without the FortiGate interfering with its own local certificate. 

 

Guest SSL Inspection.PNG

Thanks

Adam

naibaho
New Contributor III

Hi,

If you do not care with ssl inspection at all, you can modify your ssl profile to allow all certificate signiture, include Blocked certificate, Untrusted and Invalid.

best regard
best regard
Adam19892000

I have tried Allowing all Invalid SSL certificates and Disabled the SNI check but still get the following error:

 

'This website may be impersonating "888.com" [Gambling] to steal your personal financial information. You should go back to the previous page.'

 

Testing using an iOS device. 

 

Viewing the certificate you can see *.888.com but its being issued by the FortiGate so its re-associating the 888.com site certificate with its own which is why its not trusted. This only occurs when trying to access a blocked site and being redirected to the standard block page, not on any sites which are allowed via the web filtering. 

 

Thanks

Adam

Debbie_FTNT

Hey Adam,

the issue is that FortiGate is trying to display a block page that it hosts itself when blocking webfilter traffic.

The block page will be using a FortiGate certificate, which is probably not going to be trusted, no matter what inspection is applied to the traffic that triggers the webfilter block action.

I'm not aware of any way to prevent the FortiGate from trying to display the block page.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Adam19892000

Thanks Debbie. Is there a way I could change the certificate the FortiGate is using to one that would be trusted by browsers so it removes the certificate errors? 

Debbie_FTNT

Hey Adam,

you would probably have to get a server and sub-CA certificate signed by a public, trusted CA (such as Let's Encrypt) for your setup, and set those as FortiGate's server certificate and in the ssl inspection profile.

This is a good place to start:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/565000/preventing-certificate-warnings-d...

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Adam19892000

Thanks Debbie, I will look into the Let's Encrypt option. Also from reading it looks like I could just disable the HTTPs page #https-replacement-message disable which stops the error but won't actually show the block page so removes one issue but creates another. 

 

Adam

Debbie_FTNT

Hey Adam,

if you disable the https replacement message, the browsers will (probably) instead complain that they are redirected to an HTTP page from an HTTPS connection, and refuse with a different error.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors