Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Moxeq
New Contributor II

web filter with certificate inspection error

Hello Guys,

I had an issue when using the Default web filter profile with a blocked static URL for Youtube and other sites.

I used the certificate inspection not the Deep inspection option, and when the any website should be blocked like Youtube, I got the certificate warning and only solved if I install the certificate on my machine,

the goal is that how can I solve this issue to get the replacement message for FortiGuard web filter or the known error "This site can’t be reached". I have another firewalls and with the same configuration but without the certificate error.

I opened a case with Fortinet TAC and they told me that you have to install the certificate on the machines! below is their message:

" As per my findings, for https websites we need to install the CA certificate (in our case the FortiGate CA certificate) to the browser trusted store in order to get the replacement message. Without the certificate we received the same error as the error that you received. PFA the screenshot attached where root certificate is shown as the FortiGate certificate because the FortiGate is intercepting the connection and sending the block page.
When we use certificate inspection, the FortiGate would just check the CN field to check whether the URL should be blocked. Here when the traffic is coming to the FortiGate, FortiGate checks that the URL should be blocked and the traffic is not forwarded to Youtube. Thus the SSL handshake with the Youtube site is not complete and thus FortiGate signs the response back to the client due to which you see the certificate being signed by FortiGate "

 

But I know that the "certificate inspection with the web filter" should not prompt the certificate error!

any Idea?

FortiGate 

MoX, Cybersecurity Engineer
MoX, Cybersecurity Engineer
1 Solution
hbac
Staff
Staff

Hi @Moxeq,

 

You can find the explanation on this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Webfilter-replacement-message-is-rep...

 

You can also disable 'https-replacemsg' by running the following commands. Once disabled, users will see 'This site can’t be reached'. 

 

config webfilter profile 

edit <> 

set https-replacemsg disable 

end 

 

Regards, 

View solution in original post

4 REPLIES 4
AEK
SuperUser
SuperUser

Hi Mox

You are right, with certificate inspection (not deep) you don't get certificate error message in browser when the web filter allows the connection, because FG doesn't sign the certificates. However you will get this error if you use replacement message, because FG will sign the certificate (you ask for youtube and you get FortiGuard page). So in that case you need CA cert.

If you don't want install FG cert on clients, alternatively you can install your domain's subordinate CA on FG so the signed certs will be trusted by your clients.

AEK
AEK
Mvoss
New Contributor

I got the same response from TAC - and they told me to buy a Cert from a CA - but now I'm running into validation issues because the IP address I use on the Fortigate isn't in my FQDN, it is just one supplied by my ISP. Forgive me, I'm a newbie, but I am trying to get content filtering working before school starts back in three weeks. I am needing to be able to block sites.google.com for example, but let sites.google.com/subsite/example through. 

Sales of course told me this would be easy, but it is turning into my nightmare.

 

I can't install the cert on all machines, we have Chromebooks, Ipads, PCs, and since we do a handful of basically BYOD that is impossible.

Matt
Matt
hbac
Staff
Staff

Hi @Moxeq,

 

You can find the explanation on this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Webfilter-replacement-message-is-rep...

 

You can also disable 'https-replacemsg' by running the following commands. Once disabled, users will see 'This site can’t be reached'. 

 

config webfilter profile 

edit <> 

set https-replacemsg disable 

end 

 

Regards, 

Moxeq
New Contributor II

Thx hbac. understood.

MoX, Cybersecurity Engineer
MoX, Cybersecurity Engineer
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors