Good evening!
I've created the following policy to scan web traffic (test setup):
config firewall policy
edit 2
set name "Trust:Webzugriff"
set uuid a7a53264-XXXXXXXXXXXXXXXX
set srcintf "internal2"
set dstintf "wan1"
set action accept
set srcaddr "Trust address"
set dstaddr "all"
set schedule "always"
set service "HTTPS" "PING" "HTTP"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "AV-Web"
set webfilter-profile "block some & monitor-all"
set dnsfilter-profile "default"
set file-filter-profile "default"
set ips-sensor "all_default"
set application-list "block-high-risk"
set logtraffic all
set nat enable
next
end
The webfilter profile is configured to warn on specific categories. This works fine. Surfing to a corresponding web page triggers the webfilter. The Fortigate "warning-page" is shown. However, while the log says the web filter was triggered, the warning page says "FortiGuard Intrusion Prevention - Access Blocked". May be a cosmetic issue.
Clicking "Proceed" in the warning page now leads to the web page, but the certificate of the web page was replaced by the fortigate. I would expect this beahvior with deep-inspection, but not "certificate-inspection".
The configuration of certificate-inspection is the factory default.
Version: v7.4.1 build2463 (Feature)
I would be very thankfull, if somebody could explain this behavior!
Thanks
Oliver
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 11-17-2023 09:50 AM Edited on 11-17-2023 09:51 AM
Hi!
OK, I now got the mechanism. The basic reason for "certificate replacement" is the way how the "proceed" mechanism in "Web profile/Policy override" is implemented. For everybody who is interested: The Fortigate provides a corresponding service on port 8015. After clicking proceed, the webpage does not come from the webserver, but the fortigate. Therefore its the fortigate certificate, which is used.
Thanks to everybody contributing to this diskussion!
Have a nice weekend.
Created on 11-16-2023 04:40 AM Edited on 11-16-2023 04:42 AM
The link I included in my reply covers this. If it's not sufficient, let me know what specifically you're missing that you'd like to see added.
Also, this is a "general fact of life" with TLS. The payload of a TLS session cannot be silently modified by a third party without hijacking the session (which requires using your own certificates during the handshake). This is true for all vendors. Anybody claiming to have the capability to do this without triggering errors and without importing CA certificates to client endpoints implicitly claims that they have completely destroyed the security of TLS.
When it comes to FortiOS, you have two alternatives:
Created on 11-17-2023 09:50 AM Edited on 11-17-2023 09:51 AM
Hi!
OK, I now got the mechanism. The basic reason for "certificate replacement" is the way how the "proceed" mechanism in "Web profile/Policy override" is implemented. For everybody who is interested: The Fortigate provides a corresponding service on port 8015. After clicking proceed, the webpage does not come from the webserver, but the fortigate. Therefore its the fortigate certificate, which is used.
Thanks to everybody contributing to this diskussion!
Have a nice weekend.
I gues you see the FGT Cert on the blocking page since that comes from the FortiGate :)
If you got an UTM Block via SSL inspection and your policy does only have certificate inspection enabeld then something on the cert of the website must have triggered the certificate inspection to block this. Probably log entry details will show you.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.