Hi,
Hoping someone can help me out here. I've found a couple of posts sort of similar but doesn't seem to resolve the issue for me.
Fortigate 90D, latest firmware 5.2.4
I've got various WEB Filters in place, combination of "Block" and "Authenticate".
Only recently, when I go to www.facebook.com, I get a certificate error. IE does not allow me to continue on, nor does Chrome, but Chrome does provide more information as per the attached screenshot.
Turning off the web filtering restores access.
I've got facebook set to Authenticate so that certain staff can have access to this site. I don't understand why this would stop working all of a sudden. No issues with any other sites using https.
Any suggestions greatly appreciated.
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
This is HSTS...
With HSTS, Chrome, Firefox and updated IE are realizing that the Fortigate is doing SSL deep inspection and therefore a different CA certificate is used (than the one on the preload list for HSTS).
Is it possible that the IE has been updated recently?
Regards,
Sylvia
Thanks Sylvia.
The only update that would have been done is via Automatic Updates.
How can the error be avoided? I've got several filters in place for sites that require authentication and changing the web filtering to "flow based" breaks this ability.
The same issue applies to Chrome as well.
Any news here?
I'm facing the issue too.
Import the Fortigate certificate into the Windows certificate store on each computer
That doesn't help.
The browsers uses HSTS and checks that the certificate is signed by a certain CA.
That is the error that is seen in the browser on the client.
We are not even using deep inspection, just certificate-inspection.
This happens because the browser is still at https://www.facebook.com/ but displays a message from the FortiGate device itself (Web Page Blocked).
It stays on https:// and thus encrypts the page with a certificate that is signed by the Fortigate CA.
However the browser does not like this. See this post too.
Typically HSTS checks to make sure the certificate is valid (not expired or self signed) and that it is signed by a CA wich is included in your certificate store.
No, the CA certificate is pinned, that's why it is not trusted.
HSTS in Chrome is basicly enforcing this:
[ol]See the last paragraph this StackExchange answer.
Correct me if I'm wrong, but this is also what the error message in the browser is telling me.
I don't believe a HTTP header of " Strict Transport Security" is the cause of the issue. You could always disable it in about:config ( for example depending on browser ) and re-test but that's just my quick thought.
(suggestions)
Have you tried to check the install CAs in the system & version that your on? Does it happen across all systems? all browsers?
I believe your listed CA reports is tampered with or missing a few entries hence the NET-ERR CA
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.