Hello Guys,
I had an issue when using the Default web filter profile with a blocked static URL for Youtube and other sites.
I used the certificate inspection not the Deep inspection option, and when the any website should be blocked like Youtube, I got the certificate warning and only solved if I install the certificate on my machine,
the goal is that how can I solve this issue to get the replacement message for FortiGuard web filter or the known error "This site can’t be reached". I have another firewalls and with the same configuration but without the certificate error.
I opened a case with Fortinet TAC and they told me that you have to install the certificate on the machines! below is their message:
" As per my findings, for https websites we need to install the CA certificate (in our case the FortiGate CA certificate) to the browser trusted store in order to get the replacement message. Without the certificate we received the same error as the error that you received. PFA the screenshot attached where root certificate is shown as the FortiGate certificate because the FortiGate is intercepting the connection and sending the block page.
When we use certificate inspection, the FortiGate would just check the CN field to check whether the URL should be blocked. Here when the traffic is coming to the FortiGate, FortiGate checks that the URL should be blocked and the traffic is not forwarded to Youtube. Thus the SSL handshake with the Youtube site is not complete and thus FortiGate signs the response back to the client due to which you see the certificate being signed by FortiGate "
But I know that the "certificate inspection with the web filter" should not prompt the certificate error!
any Idea?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @Moxeq,
You can find the explanation on this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Webfilter-replacement-message-is-rep...
You can also disable 'https-replacemsg' by running the following commands. Once disabled, users will see 'This site can’t be reached'.
config webfilter profile
edit <>
set https-replacemsg disable
end
Regards,
Hi Mox
You are right, with certificate inspection (not deep) you don't get certificate error message in browser when the web filter allows the connection, because FG doesn't sign the certificates. However you will get this error if you use replacement message, because FG will sign the certificate (you ask for youtube and you get FortiGuard page). So in that case you need CA cert.
If you don't want install FG cert on clients, alternatively you can install your domain's subordinate CA on FG so the signed certs will be trusted by your clients.
Created on 07-23-2024 12:21 PM Edited on 07-23-2024 12:22 PM
I got the same response from TAC - and they told me to buy a Cert from a CA - but now I'm running into validation issues because the IP address I use on the Fortigate isn't in my FQDN, it is just one supplied by my ISP. Forgive me, I'm a newbie, but I am trying to get content filtering working before school starts back in three weeks. I am needing to be able to block sites.google.com for example, but let sites.google.com/subsite/example through.
Sales of course told me this would be easy, but it is turning into my nightmare.
I can't install the cert on all machines, we have Chromebooks, Ipads, PCs, and since we do a handful of basically BYOD that is impossible.
Hi @Moxeq,
You can find the explanation on this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Webfilter-replacement-message-is-rep...
You can also disable 'https-replacemsg' by running the following commands. Once disabled, users will see 'This site can’t be reached'.
config webfilter profile
edit <>
set https-replacemsg disable
end
Regards,
Thx hbac. understood.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.