Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dvdsmith
New Contributor

SSL Certificate Inspection breaks some sites

Has anyone else been running across more sites that will not load if certificate-inspection is used in the Web Filter? Also, this does not involve deep packet inspection. One example is edmunds.com.

 

I ended up creating a group of FQDN addresses including sites that break with certificate inspection and then a Policy with the group as destination, making sure it applied before other policies. The policy, either with a Web Filter with SSL Inspection disabled or no Web Filter at all, allows the group of sites through unimpeded. If I disable the Policy, a browser either presents a failed to load page or an SSL error page with no option to continue.

 

Today I found some content of edmunds.com wouldn't load unless I also added services.edmunds-media.com to the group.

Fortigate-200B 5.2.8 Build 727

Fortigate-200B 5.2.8 Build 727
6 REPLIES 6
NotMine
Contributor

Is FortiGate CA certificate installed on client machines as a Trusted Root Authority?

NSE 7

All oppinions/statements written here are my own.

NSE 7 All oppinions/statements written here are my own.
dvdsmith

slavko wrote:

Is FortiGate CA certificate installed on client machines as a Trusted Root Authority?

Per the documentation I've read, that "should" only be necessary if you are doing deep packet inspection, which I am not. I also find it peculiar that certificate-inspection doesn't break sites like Google Apps, which supposedly is big on security.

 

Does anyone else find it a bit ridiculous that one would need to copy a CA cert to all clients just so Category filtering still works for sites like pornhub.com that recently switched to https?

 

I'm looking at renewing/replacing my Fortigate, and this will definitely be a factor in evaluating alternatives.

Fortigate-200B 5.2.8 Build 727

Fortigate-200B 5.2.8 Build 727
hmtay_FTNT

Hello dvdsmith,

 

>>Per the documentation I've read, that "should" only be necessary if you are doing deep packet inspection, which I am not.

 

This is correct. You do not need to import the certificate into all clients if you are using only certificate-inspection. If that is what you did and you still get a page error, that means the FortiGate is trying to forward the "replacement-message" to the browser indicating that the page is blocked. "edmunds.com" is classified as Personal Vehicles. Do you have that category set to Block in the Web Filter?

 

You can disable the "replacement-message" on the webfilter if you are running in proxy mode. That way, blocked pages will not attempt to print a message and instead will return an SSL reset packet.

 

HoMing

dvdsmith

hmtay wrote:

Hello dvdsmith,

 

>>Per the documentation I've read, that "should" only be necessary if you are doing deep packet inspection, which I am not.

 

This is correct. You do not need to import the certificate into all clients if you are using only certificate-inspection. If that is what you did and you still get a page error, that means the FortiGate is trying to forward the "replacement-message" to the browser indicating that the page is blocked. "edmunds.com" is classified as Personal Vehicles. Do you have that category set to Block in the Web Filter?

 

You can disable the "replacement-message" on the webfilter if you are running in proxy mode. That way, blocked pages will not attempt to print a message and instead will return an SSL reset packet.

 

HoMing

Thanks for the input, that makes a lot more sense. As for blocking, the site is in a custom category that is blocked for one web filter. I did testing where it wasn't blocked for anyone, and it only loaded right if SSL Inspection was disabled completely. I'll need to see if custom categories have anything to do with this.

Fortigate-200B 5.2.8 Build 727

Fortigate-200B 5.2.8 Build 727
MikePruett
Valued Contributor

Even if you have your certs installed properly, if you are running DPI you will have some sites you are forced to exclude in order to work. Sites are getting smarter and can tell when devices are running MITM style inspection.

Mike Pruett Fortinet GURU | Fortinet Training Videos
hmtay_FTNT

>>Thanks for the input, that makes a lot more sense. As for blocking, the site is in a custom category that is blocked for one web filter. I did testing where it wasn't blocked for anyone, and it only loaded right if SSL Inspection was disabled completely. I'll need to see if custom categories have anything to do with this.

 

No worries. Please let me know if you run into any issues and I will try to help out.

 

HoMing

Labels
Top Kudoed Authors