Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vedranOP
New Contributor

Created on ‎04-21-2017 07:32 AM

Try to block FB=Your connection is not private, cannot proceed

My device: FortiGate 100D

My current version: v5.2.9,build736 (GA)

 

My goal: disable facebook for all but one group.

 

What I did:

 

[ul]Made security profile with web wildcard block for *facebook + override for marketing group[/ul][ol]
  • Created 2 policies for such profile and put it on top
  • In policy I enabled SSL inspection:[/ol]

     

     

     

    Inserted certificate from dropbox. ,When I try to access  blocked website(for test I use *ibm.com) I get, :

     

     

     

     

    What to do?

     

    Thank you in advance!

    • 10306
    0 Kudos
    2 REPLIES 2
    hmtay_FTNT
    Staff
    Staff

    Created on ‎04-21-2017 08:19 AM

    Hello vedranOP,

     

    Your issue is addressed here:

     

    https://forum.fortinet.com/tm.aspx?m=147802&tree=true

     

    >>Per the documentation I've read, that "should" only be necessary if you are doing deep packet inspection, which I am not.   This is correct. You do not need to import the certificate into all clients if you are using only certificate-inspection. If that is what you did and you still get a page error, that means the FortiGate is trying to forward the "replacement-message" to the browser indicating that the page is blocked. "edmunds.com" is classified as Personal Vehicles. Do you have that category set to Block in the Web Filter?   You can disable the "replacement-message" on the webfilter if you are running in proxy mode. That way, blocked pages will not attempt to print a message and instead will return an SSL reset packet.

     

    http://cookbook.fortinet.com/preventing-certificate-warnings/

     

    If you want to import the SSL Certificate, the link above will show you how to do it. Otherwise, you can disable the replacement message to prevent the warning.

     

    HoMing

    1896
    0 Kudos
    CGoodwin
    New Contributor

    Created on ‎04-27-2017 02:23 AM

    Hello VedranOP,

    You will need to download the cert you are using for ssl inspection on the Fortigate. In your case its the default "Fortinet_CS_SSLProxy" cert. Once you have this you can ether deploy it with a GPO of your domain to PC's or manually install it into the PC's cert center. You need to put it into two locations. Trusted Publishers and Trusted Root Certification Authorities. 

     

     

    FCNSA, FCNSP (NSE4), NSE5

    FCNSA, FCNSP (NSE4), NSE5
    1896
    0 Kudos
    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.