Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ciscomemo
New Contributor

SSL Inspection and certificate error

I understand that if I want to do HTTPs inspection I need to enable SSL inspection on fortinet but this gives error on users browser when opening https websites. This is because we need to install fortinet certificate in user PC , once this is done error goes away . 

 

In guest case senerios where users bring in their own device and we dont have option to install this certificate on each of those devices how would https blocking work ? I believe that we need to instsall the ssl certificate because our certificate is a private generated one , if we purchase a certificate from a known company like https://www.rapidssl.com etc and use that certificate in fortinet and not the default one of fortinet , we might not need to put that certificate in each user PC  because this certificate would be globally trusted . 

 

Please advise if i am correct. 

14 REPLIES 14
Bromont_FTNT
Staff
Staff

In order to do man in the middle SSL inspection the Fortigate needs a key signing cert, very unlikely you'll get a CA to issue you the right type of cert.

ciscomemo

Thankyou for the reply. I wonder how these ISP then block content on a national level and then a user doesnt need to install any certificate on his end. I know several countries where some kind of content is blocked and an error page displays that you are not allowed to view this page.

ciscomemo

can anyone from advance tac answer this please . 

Bromont_FTNT

I don't have first hand experience with country level blocking but if they control DNS then there's no need for man-in-the-middle at all.

ciscomemo

If we say they are doing DNS level blocking then it means its only realted to domain names blocking which we call in the browser. But in my case they do content blocking which means even if there is a youtube widget inside a browser it will get blocked . 

 

Apart from this if its a DNS level blocking then changing the DNS to some global servers can solve the problem but this doesnt. I just wonder how they are able to achieve this , this country level content blocking is being used by several countries/ISPs .

Bromont_FTNT

If DNS poisoning is used at the ISP level then I would assume that requests to DNS servers outside the country would also be blocked or silently translated to their own DNS poisoning servers. Youtube embedded videos would still be blocked in this case.

ciscomemo

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/Security.009.15.htm...

 

This article shows DNS filtering has limitations but In our case ISP has applied full filtering . When a web page is blocked it even shows an error message with a form which we can fill incase we want to inform the admins to consider this web in a different category . 

Bromont_FTNT

do you have a screenshot of what your ISP displays?

ciscomemo

Please see following images 

 

[link]http://s8.postimg.org/njfrnhbb9/oreedo_1_error.png[/link] http://s2.postimg.org/si1lp76k9/oreedo_2_error.png

 

 

I am curious how this iSP is blocking traffic this way . 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors