This Connection is Untrusted - Web Filtering Issues

Miata · ‎04-08-2015

Please see the attached.

This message appears with websites that I have blocked.

Thanks for your help.

Bromont_FTNT · ‎04-08-2015

When a secure website is blocked the Fortigate must present the blocked page message using its own certificate which the browser of course does not trust and therefor eyou get the certificate warning.

View solution in original post

The_Doctor · ‎04-15-2015

Hi Miata,

you must set the https-replacemsg option in your webfilter profile to disable (via CLI)

You can find the info here:

http://docs.fortinet.com/...tebook-and-tech-notes#

View solution in original post

Bromont_FTNT · ‎04-08-2015

When a secure website is blocked the Fortigate must present the blocked page message using its own certificate which the browser of course does not trust and therefor eyou get the certificate warning.

Miata · ‎04-08-2015

Thanks for your reply.

But what if the user adds an exception. Can they still access the website? Is there anyway they can access the website from this message?

Bromont_FTNT · ‎04-08-2015

If the user adds the exception (trust the invalid certificate) then it should display the fortigate blocked page message.

Miata · ‎04-08-2015

Also, is there a way to bypass this?

Christopher_McMullan · ‎04-08-2015

Depends what you want to bypass...

If you want to be presented with the block page, but still navigate to the page, you can set the category action to Warning or Authenticate. If you want to bypass certificate errors and block pages entirely, in OS 5.2 you can exempt FQDN address objects or FortiGuard categories from deep inspection in the SSL/SSH Inspection Profile.

Regards, Chris McMullan Fortinet Ottawa

Miata · ‎04-08-2015

Thank you very much for your help.

Miata · ‎04-08-2015

Thank you very much for your help.

Bromont_FTNT · ‎04-08-2015

I assumed you were not using SSL deep inspection.... You are only getting cert errors when the page is to be blocked correct?

Big_Abe · ‎04-13-2015

Since you're clearly using Firefox, don't forget (easy mistake) that FireFox doesn't use windows store for certificates.

In other words, you can push the certs by GPO for IE, but Chrome and FF require installation into their specific keystores.

If you want to see if its a problem with your intermediary - browse to the page, get past the warning, then view the certificate from the toolbar. You can see what signed the certificate, to determine its the one presented by the firewall, or your attempt to Trust a root CA that is getting you the cert error.

FCNSP

-------------------------------------

"They have us surrounded again, those poor bastards."

-Unnamed Medic

This Connection is Untrusted - Web Filtering Issues

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website