Hi all,
I'm using HTTPS WebFiltering with certificate only inspection in a FortiOS 5.0.x environment.
I've an Internal CA so everything works fine when the site I'm visiting is allowed but if it's not, the replacement message (in HTTPS) brings with him the error caused by HSTS.
I obtain the warning "The security certificate presented by this website was issued for a different website's address".
I'd like to avoid to disable the replacement message so... is there anything I could do?
Update: from a client side I'm able to prevent the warning above by disabling the "Warn about certificate address mismatch" in Internet Explorer (even if this is a "global" settings that shouldn't be disabled).
Thanks!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I made a support inquiry on this issue a while back and they told me it would be fixed in 5.2. I seem to remember testing it and having positive results but I'm still running 5.x in my prod environments.
Can you advise what version of FortiOS you are running?
If you are interested, you can disable the webfilter blockpage completely and just time out the session but I'm guessing that's not an acceptable solution.
config webfilter profile
edit <profile name>
set https-replacemsg disble
end
Yep it seems that with flow-based webfiltering we can avoid the warning message but only in FortiOS 5.2.x
In FortiOS 5.0.x the warning message appears.
In both FortiOS we face the warning if we choose proxy webfiltering.
Still not fixed in 5.2.3.
Is this fixed in 5.2.4?
Is there an option to have the Fortigate open a new browser tab/window and display the block page via HTTP instead of HTTPS? If the page wasn't directly related to the HTTPS session it might remove the certificate error message. I've not tested this so don't know if 5.x would support this type of config. It sounds like the problem is related to the HTTPS redirect to the block page and certificate mismatch. If the redirect was done via HTTP on a new browser window it might address the problem.
If the browser expects HTTPS with a valid signed certificate it trusts then it will always give an error/warning when it gets anything other than that.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.