Hi,
Would someone be able to advise how to allow guest devices to use the web filtering without there being SSL inspection? I am unable to add any certificate onto the device but would like webpages to be blocked based on the web filtering policies. At the moment, the firewall is showing its certificate so the device doesn't trust the local certificate so brings an error before the web filtering block page is shown.
I am utilising a separate VDOM for the guest system so it doesn't interfere with Internal use where we would utilise a trusted certificate for web filtering but unfortunately not possible in this case.
I didn't have an issue with this on version 6.2.5 but having the issue on 6.4.6.
Any help would be greatly appreciated.
Adam
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Adam19892000,
Maybe you can modify your SSL Inspection profile to allow Untrusted SSL certificates. Although, it is not good thing to do.
Hi,
I've attached my current configuration via the GUI. The issue seems to be that the FortiGate replaces the site certificate with its own when going to a blocked page. So if I press continue it goes to the block page but then it seems to allow the block website from then on. I know I can't do deep packet inspection with Guest devices but that's not my intention. I just want basic web filtering available without the FortiGate interfering with its own local certificate.
Thanks
Adam
Hi,
If you do not care with ssl inspection at all, you can modify your ssl profile to allow all certificate signiture, include Blocked certificate, Untrusted and Invalid.
I have tried Allowing all Invalid SSL certificates and Disabled the SNI check but still get the following error:
'This website may be impersonating "888.com" [Gambling] to steal your personal financial information. You should go back to the previous page.'
Testing using an iOS device.
Viewing the certificate you can see *.888.com but its being issued by the FortiGate so its re-associating the 888.com site certificate with its own which is why its not trusted. This only occurs when trying to access a blocked site and being redirected to the standard block page, not on any sites which are allowed via the web filtering.
Thanks
Adam
Hey Adam,
the issue is that FortiGate is trying to display a block page that it hosts itself when blocking webfilter traffic.
The block page will be using a FortiGate certificate, which is probably not going to be trusted, no matter what inspection is applied to the traffic that triggers the webfilter block action.
I'm not aware of any way to prevent the FortiGate from trying to display the block page.
Thanks Debbie. Is there a way I could change the certificate the FortiGate is using to one that would be trusted by browsers so it removes the certificate errors?
Hey Adam,
you would probably have to get a server and sub-CA certificate signed by a public, trusted CA (such as Let's Encrypt) for your setup, and set those as FortiGate's server certificate and in the ssl inspection profile.
This is a good place to start:
Thanks Debbie, I will look into the Let's Encrypt option. Also from reading it looks like I could just disable the HTTPs page #https-replacement-message disable which stops the error but won't actually show the block page so removes one issue but creates another.
Adam
Hey Adam,
if you disable the https replacement message, the browsers will (probably) instead complain that they are redirected to an HTTP page from an HTTPS connection, and refuse with a different error.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.