Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Miata
New Contributor II

Created on ‎04-08-2015 08:03 AM

This Connection is Untrusted - Web Filtering Issues

Please see the attached.

This message appears with websites that I have blocked.

 

Thanks for your help.

Preview file
70 KB
21069
0 Kudos
2 Solutions
Bromont_FTNT
Staff
Staff

Created on ‎04-08-2015 08:05 AM

When a secure website is blocked the Fortigate must present the blocked page message using its own certificate which the browser of course does not trust and therefor eyou get the certificate warning.

View solution in original post

8540
0 Kudos
The_Doctor
New Contributor II

Created on ‎04-15-2015 07:11 AM

Hi Miata,

you must set the https-replacemsg option in your webfilter profile to disable (via CLI)

 

You can find the info here:

http://docs.fortinet.com/...tebook-and-tech-notes#

 

 

 

 

View solution in original post

8540
0 Kudos
10 REPLIES 10
Bromont_FTNT
Staff
Staff

Created on ‎04-08-2015 08:05 AM

When a secure website is blocked the Fortigate must present the blocked page message using its own certificate which the browser of course does not trust and therefor eyou get the certificate warning.

8541
0 Kudos
Miata
New Contributor II

Created on ‎04-08-2015 08:06 AM

Thanks for your reply.

 

But what if the user adds an exception. Can they still access the website? Is there anyway they can access the website from this message?

7328
0 Kudos
Bromont_FTNT
Staff
Staff
In response to Miata

Created on ‎04-08-2015 08:08 AM

If the user adds the exception (trust the invalid certificate) then it should display the fortigate blocked page message.

7328
0 Kudos
Miata
New Contributor II

Created on ‎04-08-2015 08:14 AM

Also, is there a way to bypass this? 

7328
0 Kudos
Christopher_McMullan
Staff
Staff

Created on ‎04-08-2015 08:22 AM

Depends what you want to bypass...

 

If you want to be presented with the block page, but still navigate to the page, you can set the category action to Warning or Authenticate. If you want to bypass certificate errors and block pages entirely, in OS 5.2 you can exempt FQDN address objects or FortiGuard categories from deep inspection in the SSL/SSH Inspection Profile.

Regards, Chris McMullan Fortinet Ottawa

7328
0 Kudos
Miata
New Contributor II

Created on ‎04-08-2015 08:39 AM

Thank you very much for your help.

7328
0 Kudos
Miata
New Contributor II

Created on ‎04-08-2015 08:52 AM

Thank you very much for your help.

7328
0 Kudos
Bromont_FTNT
Staff
Staff
In response to Miata

Created on ‎04-08-2015 09:02 AM

I assumed you were not using SSL deep inspection.... You are only getting cert errors when the page is to be blocked correct?
7328
0 Kudos
Big_Abe
New Contributor

Created on ‎04-13-2015 11:50 AM

Since you're clearly using Firefox, don't forget (easy mistake) that FireFox doesn't use windows store for certificates.

 

In other words, you can push the certs by GPO for IE, but Chrome and FF require installation into their specific keystores. 

 

If you want to see if its a problem with your intermediary - browse to the page, get past the warning, then view the certificate from the toolbar.  You can see what signed the certificate, to determine its the one presented by the firewall, or your attempt to Trust a root CA that is getting you the cert error. 

 

 

 

 

FCNSP

-------------------------------------

"They have us surrounded again, those poor bastards."

-Unnamed Medic

FCNSP ------------------------------------- "They have us surrounded again, those poor bastards." -Unnamed Medic
7328
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.