Has anyone else been running across more sites that will not load if certificate-inspection is used in the Web Filter? Also, this does not involve deep packet inspection. One example is edmunds.com.
I ended up creating a group of FQDN addresses including sites that break with certificate inspection and then a Policy with the group as destination, making sure it applied before other policies. The policy, either with a Web Filter with SSL Inspection disabled or no Web Filter at all, allows the group of sites through unimpeded. If I disable the Policy, a browser either presents a failed to load page or an SSL error page with no option to continue.
Today I found some content of edmunds.com wouldn't load unless I also added services.edmunds-media.com to the group.
Fortigate-200B 5.2.8 Build 727
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Is FortiGate CA certificate installed on client machines as a Trusted Root Authority?
NSE 7
All oppinions/statements written here are my own.
slavko wrote:Is FortiGate CA certificate installed on client machines as a Trusted Root Authority?
Per the documentation I've read, that "should" only be necessary if you are doing deep packet inspection, which I am not. I also find it peculiar that certificate-inspection doesn't break sites like Google Apps, which supposedly is big on security.
Does anyone else find it a bit ridiculous that one would need to copy a CA cert to all clients just so Category filtering still works for sites like pornhub.com that recently switched to https?
I'm looking at renewing/replacing my Fortigate, and this will definitely be a factor in evaluating alternatives.
Fortigate-200B 5.2.8 Build 727
Hello dvdsmith,
>>Per the documentation I've read, that "should" only be necessary if you are doing deep packet inspection, which I am not.
This is correct. You do not need to import the certificate into all clients if you are using only certificate-inspection. If that is what you did and you still get a page error, that means the FortiGate is trying to forward the "replacement-message" to the browser indicating that the page is blocked. "edmunds.com" is classified as Personal Vehicles. Do you have that category set to Block in the Web Filter?
You can disable the "replacement-message" on the webfilter if you are running in proxy mode. That way, blocked pages will not attempt to print a message and instead will return an SSL reset packet.
HoMing
hmtay wrote:Hello dvdsmith,
>>Per the documentation I've read, that "should" only be necessary if you are doing deep packet inspection, which I am not.
This is correct. You do not need to import the certificate into all clients if you are using only certificate-inspection. If that is what you did and you still get a page error, that means the FortiGate is trying to forward the "replacement-message" to the browser indicating that the page is blocked. "edmunds.com" is classified as Personal Vehicles. Do you have that category set to Block in the Web Filter?
You can disable the "replacement-message" on the webfilter if you are running in proxy mode. That way, blocked pages will not attempt to print a message and instead will return an SSL reset packet.
HoMing
Thanks for the input, that makes a lot more sense. As for blocking, the site is in a custom category that is blocked for one web filter. I did testing where it wasn't blocked for anyone, and it only loaded right if SSL Inspection was disabled completely. I'll need to see if custom categories have anything to do with this.
Fortigate-200B 5.2.8 Build 727
Even if you have your certs installed properly, if you are running DPI you will have some sites you are forced to exclude in order to work. Sites are getting smarter and can tell when devices are running MITM style inspection.
Mike Pruett
>>Thanks for the input, that makes a lot more sense. As for blocking, the site is in a custom category that is blocked for one web filter. I did testing where it wasn't blocked for anyone, and it only loaded right if SSL Inspection was disabled completely. I'll need to see if custom categories have anything to do with this.
No worries. Please let me know if you run into any issues and I will try to help out.
HoMing
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.