Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jcvm
New Contributor III

Problems with SSL inspection and Web filter

Hello,

 

We are applying WEB filtering policies with deep SSL inspection.

 

but instead of getting the predefined message in fortigate we are having this error in all browsers:

 

There is an application that prevents Chrome from connecting to this website securely
"Fortinet" has not been installed correctly on your computer or network:
Try uninstalling or disabling "Fortinet"
Try connecting to another network
NET :: ERR_CERT_AUTHORITY_INVALID

 

 

How can we solve it?

4 REPLIES 4
akristof
Staff
Staff

Hello,

 

When page is blocked and replacement message is shown to client, this is still HTTPS page. And by default, FortiGate is using certificate that is signed by untrusted CA. So if you have your own certificate signed by trusted CA, you can change this:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Encrypting-replacement-messages-with-a-cus...

 

Other option is to disable HTTPS replacement message, but this will cause that only blank page will be displayed if page is blocked. And that can be confusing for client.

 

Adrian

Adrian
pavankr5
Staff
Staff

Dear Customer,

 

The problem occurs when a user tries to access a website via Google Chrome and encounters the error NET: ERR_CERT_AUTHORITY_INVALID. This error indicates that Chrome detects the SSL certificate is not issued by a trusted Certificate Authority.

 

Initial Checks:

  • Make sure SSL Inspection is enabled on the FortiGate Firewall by navigating to Policy & Objects -> Firewall Policy -> Edit Policy -> SSL/SSH Inspection.
  • Verify if a Web Filter is applied in the same policy.

 

Check DNS Settings:

Go to the affected PC and identify the DNS settings. Note down the DNS server IP and ensure it is being used across the LAN network.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Resolving-NET-ERR-CERT-AUTHORITY-INV...

Thanks 

Pavan

PixoPuro
New Contributor II

Hello, did you installed Fortinet_CA_SSL (downloaded on the deep-inspection profile) on thoses clients?
Just to be clear, install the certificate into the trusted root certificate authorities store.

I think the inspection certificate and the block https page certificate are the same.

 

Leandro.

mle2802
Staff
Staff

Hi @jcvm,

It look like that the web is blocked and it tried to redirect to blocked replacement message. Make sure you installed the Fortinet_CA_SSL cert on local computer.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors