HTTPS WebFiltering and HSTS: is it possible to avoid the certificate error message?

Diabolicus23 · ‎06-15-2015

Hi all,

I'm using HTTPS WebFiltering with certificate only inspection in a FortiOS 5.0.x environment.

I've an Internal CA so everything works fine when the site I'm visiting is allowed but if it's not, the replacement message (in HTTPS) brings with him the error caused by HSTS.

I obtain the warning "The security certificate presented by this website was issued for a different website's address".

I'd like to avoid to disable the replacement message so... is there anything I could do?

Update: from a client side I'm able to prevent the warning above by disabling the "Warn about certificate address mismatch" in Internet Explorer (even if this is a "global" settings that shouldn't be disabled).

Thanks!

FortiAdam · ‎06-15-2015

I made a support inquiry on this issue a while back and they told me it would be fixed in 5.2. I seem to remember testing it and having positive results but I'm still running 5.x in my prod environments.

Can you advise what version of FortiOS you are running?

If you are interested, you can disable the webfilter blockpage completely and just time out the session but I'm guessing that's not an acceptable solution.

config webfilter profile

edit <profile name>

set https-replacemsg disble

end

Diabolicus23 · ‎06-16-2015

Yep it seems that with flow-based webfiltering we can avoid the warning message but only in FortiOS 5.2.x

In FortiOS 5.0.x the warning message appears.

In both FortiOS we face the warning if we choose proxy webfiltering.

aairey · ‎11-30-2015

Still not fixed in 5.2.3.

Is this fixed in 5.2.4?

66Stang · ‎01-13-2016

Is there an option to have the Fortigate open a new browser tab/window and display the block page via HTTP instead of HTTPS? If the page wasn't directly related to the HTTPS session it might remove the certificate error message. I've not tested this so don't know if 5.x would support this type of config. It sounds like the problem is related to the HTTPS redirect to the block page and certificate mismatch. If the redirect was done via HTTP on a new browser window it might address the problem.

Bromont_FTNT · ‎01-14-2016

If the browser expects HTTPS with a valid signed certificate it trusts then it will always give an error/warning when it gets anything other than that.

HTTPS WebFiltering and HSTS: is it possible to avoid the certificate error message?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website