FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jheadley_FTNT
Article Id 189919

Description

 
This article presents a flowchart of the expected behavior and troubleshooting information of certificate warnings when using only a web filtering security profile in combination with SSL certificate inspection or deep inspection.

Scope
 
FortiGates running FortiOS v5.2, v5.4, v5.6, v6.0, v6.2, v6.4, v7.0.
Firewall policies use only a web filtering security profile in combination with SSL inspection (cert or deep).


Solution

 

jheadley_FD38641_tn_FD38641-1.jpg

Troubleshooting:

Verify what policy ID the traffic is hitting via the FortiGate session table or traffic logs. Check the web filtering and SSL inspection profiles that are applied to this policy.

Compare the certificate presented in the web browser with the certificate configured in the SSL inspection profile. Check that the information in the sections 'Issued To', 'Issued By', and 'Validity Period' match.
 
2021-12-21 16_16_05-Technical Note_ Explanation of certificate warning... - Fortinet Community.png

Solution 1:

Download the FortiGate certificate used for SSL Inspection (default certificate is 'FortiGate_CA_SSLProxy') and import it as a trusted root CA in the web browser as explained in the 'Preventing certificate warnings' Cookbook Recipe.

Workaround 1:

Add the website as an exemption in the SSL deep inspection profile as explained in the 'Exempting Google from SSL inspection' Cookbook Recipe.

Workaround 2:

Disable the FortiGate from showing the block page for HTTPS sites blocked under this particular web filtering profile with the commands listed below:
 
config webfilter profile
    edit {name}
        set https-replacemsg disable
end
 
Notes:

 

  1. The FortiGate presents the block page with the certificate used in the SSL inspection profile (which is why blocking websites with certificate inspection will still require trusting the certificate).

  2. A certificate cannot be purchased signed by a public CA (GoDaddy, Verisign, DigiCert, etc.) that meets the requirements for use in SSL inspection.

  3. The choice between using a certificate or deep inspection is addressed in the 'Why you should use SSL inspection' Cookbook Recipe.

  4. Webfiltering features warning/authenticate/override can only work with deep inspection because FortiGate has to terminate the SSL connection to send back warning/authenticate pages. Web filtering features warning/authenticating relies on redirecting to a FortiGate page (replacement message) which means it is necessary to interrupt the SSL connection to allow the redirect.

 

Related Articles:

Technical Note : Importing the FortiGate SSL Proxy certificate in Internet Explorer 8 (IE8) for decr...

Technical Note: Differences between SSL Certificate Inspection and Full SSL Inspection

Technical Note : Digital Certificate management example: Signing a certificate with a CA, Importing ...