I understand that if I want to do HTTPs inspection I need to enable SSL inspection on fortinet but this gives error on users browser when opening https websites. This is because we need to install fortinet certificate in user PC , once this is done error goes away .
In guest case senerios where users bring in their own device and we dont have option to install this certificate on each of those devices how would https blocking work ? I believe that we need to instsall the ssl certificate because our certificate is a private generated one , if we purchase a certificate from a known company like https://www.rapidssl.com etc and use that certificate in fortinet and not the default one of fortinet , we might not need to put that certificate in each user PC because this certificate would be globally trusted .
Please advise if i am correct.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
In order to do man in the middle SSL inspection the Fortigate needs a key signing cert, very unlikely you'll get a CA to issue you the right type of cert.
Thankyou for the reply. I wonder how these ISP then block content on a national level and then a user doesnt need to install any certificate on his end. I know several countries where some kind of content is blocked and an error page displays that you are not allowed to view this page.
can anyone from advance tac answer this please .
I don't have first hand experience with country level blocking but if they control DNS then there's no need for man-in-the-middle at all.
If we say they are doing DNS level blocking then it means its only realted to domain names blocking which we call in the browser. But in my case they do content blocking which means even if there is a youtube widget inside a browser it will get blocked .
Apart from this if its a DNS level blocking then changing the DNS to some global servers can solve the problem but this doesnt. I just wonder how they are able to achieve this , this country level content blocking is being used by several countries/ISPs .
If DNS poisoning is used at the ISP level then I would assume that requests to DNS servers outside the country would also be blocked or silently translated to their own DNS poisoning servers. Youtube embedded videos would still be blocked in this case.
This article shows DNS filtering has limitations but In our case ISP has applied full filtering . When a web page is blocked it even shows an error message with a form which we can fill incase we want to inform the admins to consider this web in a different category .
do you have a screenshot of what your ISP displays?
Please see following images
[link]http://s8.postimg.org/njfrnhbb9/oreedo_1_error.png[/link] http://s2.postimg.org/si1lp76k9/oreedo_2_error.png
I am curious how this iSP is blocking traffic this way .
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.