Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rastt
New Contributor

Version 5.2.1 https replacement message

Hi great Forummers, After reading that upgrading to 5.2.1 was so promising for SSL inspection. I was hoping for a replacement message over http instead https The replacement message that is send back to the client machine is in https. Is there an option for sending it over http instead of https? Or will there be in the future? 1)We cannot install the Fortigate cert on the client machines(BYO environment and non domain systems as well ect..) 2)We cannot create a cert on the CA domain and import it to the Fortigate. 3)Instead of proxy inspection and use DNS wasn' t so nice We also cannot disable the replacement message because user' s won' t know if the site is really working or its being blocked so the " Web Page Blocked!" needs to be send to the client without the certification error so it would be a nice solution to send it through http right? So far i can' t find a solution... Any 2 cents thoughts on this? Good week all! Maarten
3 REPLIES 3
Bromont_FTNT
Staff
Staff

Short answer... NO.. and not in the future either. The browser initiates the HTTPS connection so it will expect HTTPS.... in order to do a redirect or present any kind of blocked page message it first needs to do the SSL inspection with some kind of certificate and present it to the browser.
rastt

Hi Bromont & Adrian, But if i' m not mistaken before HTTPS connection is initiated it first does a DNS request and after that a request for setting up a SSL connection right? DNS req and req for initiating SSL traffic are done plain and open, and thats where the inspection must take place right? I don' t do deep-inspection because of privacy. So the inspection is done before the initiation of the SSL so " magically" sending the redirect back in http cannot....I get it that it' s build like that and if the browser req https it needs the https traffic back but still.... I will investigate the public certs and costs. DNS won' t send " Web Site Blocked!" message so i' m back at square 1. Many thanks
Adrian_Buckley_FTNT

The SSL protocol is DESIGNED to be " Secure point-to-point communication between 2 devices" . That means they built to protocol so that it' s very difficult to decode it. It also means that they built it with the idea that you can' t just get in the middle without it being VERY OBVIOUS. As Bromont said, you can' t magically redirect HTTPS to HTTP without providing a redirect command, which requires HTTPS and means the FortiGate would need to give a certificate ... in which case there' s no point in redirecting to HTTP in the first place and you may as well provide the block on HTTPS. If you want to do filtering on HTTPS and provide block pages without errors then you will need to purchase a certificate that has either CA:True or KeyUsage: KeyCertSign from a public root authority (GoDaddy, Verisign, etc). The other option is DNS based web filtering.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors