Issue with FORTINET Webfilter

Team-IT · ‎05-23-2024

Hi there,

some of my users are seeing this message, while others are totally accessing the page without issues. Once i restart the firewall (7.4.3) ALL users/ips are able to access the page without issues - so it's nothing related to a wrong policy (policy has NO IP-Filter but SSL Inspcection and VIP forwarding). I can reproduce it to happen again when changing the "SSL" certificate of the rule and changing it back:

Based on the log only SOME IP's (random and every time others) are affected:

Any hints on that how it can be solved without restarting? Where should i start to dig in deeper?

Side Fact:

PUBLIC IP -> VIP -> RULE 9 -> INTERNAL IP

the internal IP has in invalid certifacte - right domain, but no longer valid certificate; so sometimes this invalid certificate is used; sometimes the certificate in the fortigate ssl/ssh inspection category from "Protecting SSL Server" is used. After a reboot the invalid certificate is always ignored and the page loads for everybody.

Thanks...

AnthonyH · ‎05-23-2024

Hello Team-IT,

If you are using deep inspection for the VIP, I believe in the ssl/ssh inspection profile you are using in the firewall policy (rule 9) needs have the server certificate.

Here is an example:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-configuration-for-HTTPS-Virtua...

Technical Support Engineer,
Anthony.

Team-IT · ‎05-23-2024

Rule 9 was the only place where i had the right certificate(s), cause there was no place on the "Virtual IP" where i can put it. I rebuild now from "Virtual IP" to "Virtual Server" and see if this is more "stable"

Issue with FORTINET Webfilter

Nominate a Forum Post for Knowledge Article Creation