- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WEB Filtering with Authentication broken for facebook. Certificate error.
Hi,
Hoping someone can help me out here. I've found a couple of posts sort of similar but doesn't seem to resolve the issue for me.
Fortigate 90D, latest firmware 5.2.4
I've got various WEB Filters in place, combination of "Block" and "Authenticate".
Only recently, when I go to www.facebook.com, I get a certificate error. IE does not allow me to continue on, nor does Chrome, but Chrome does provide more information as per the attached screenshot.
Turning off the web filtering restores access.
I've got facebook set to Authenticate so that certain staff can have access to this site. I don't understand why this would stop working all of a sudden. No issues with any other sites using https.
Any suggestions greatly appreciated.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is HSTS...
With HSTS, Chrome, Firefox and updated IE are realizing that the Fortigate is doing SSL deep inspection and therefore a different CA certificate is used (than the one on the preload list for HSTS).
Is it possible that the IE has been updated recently?
Regards,
Sylvia
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Sylvia.
The only update that would have been done is via Automatic Updates.
How can the error be avoided? I've got several filters in place for sites that require authentication and changing the web filtering to "flow based" breaks this ability.
The same issue applies to Chrome as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any news here?
I'm facing the issue too.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Import the Fortigate certificate into the Windows certificate store on each computer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That doesn't help.
The browsers uses HSTS and checks that the certificate is signed by a certain CA.
That is the error that is seen in the browser on the client.
We are not even using deep inspection, just certificate-inspection.
This happens because the browser is still at https://www.facebook.com/ but displays a message from the FortiGate device itself (Web Page Blocked).
It stays on https:// and thus encrypts the page with a certificate that is signed by the Fortigate CA.
However the browser does not like this. See this post too.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Typically HSTS checks to make sure the certificate is valid (not expired or self signed) and that it is signed by a CA wich is included in your certificate store.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, the CA certificate is pinned, that's why it is not trusted.
HSTS in Chrome is basicly enforcing this:
[ol]See the last paragraph this StackExchange answer.
Correct me if I'm wrong, but this is also what the error message in the browser is telling me.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't believe a HTTP header of " Strict Transport Security" is the cause of the issue. You could always disable it in about:config ( for example depending on browser ) and re-test but that's just my quick thought.
(suggestions)
Have you tried to check the install CAs in the system & version that your on? Does it happen across all systems? all browsers?
I believe your listed CA reports is tampered with or missing a few entries hence the NET-ERR CA
Ken
PCNSE
NSE
StrongSwan