- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Block Https with Web Filtering & SSL/SSH Inspectio...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Block Https with Web Filtering & SSL/SSH Inspection Error
Dear Everyone!!
I am use Fortigate 300c i want to block youtube with https://youtube.com & https://facebook.com
but i after enable webfiltering with ssl/ssh inspection cannot use some websites with https://gmail.com
yahoo.com, it's show message error certificate. like this image bellow.
show have any solution for fix it.
Thank!!!!!
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Which version of the fortiOS are you using?
On the 5.2.2 you can solve this issue in two ways:
1- Install the fortigate certificate on all the machines in you network, you can achieve that with a GPO. You appear to be using the proxy version of the webfiltering and the "full-certificate inspection" profile on the ssh-ssl inspection.
2- Change the webfilter from proxy to flow-based and set the ssl and ssh inspection as "certificate-inspection". If you are using application control as well do not set the full-inspection on it as well.
Let us know how it goes.
Carlitos loves firewalls
NSE4 (5.4,6.0)
NSE5 (Fortimanager 6.0, Fortianalyzer 6.0)
NSE7 (Enterprise Firewall 6.0)
Carlitos loves firewalls
NSE4 (5.4,6.0)
NSE5 (Fortimanager 6.0, Fortianalyzer 6.0)
NSE7 (Enterprise Firewall 6.0)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you aren't ready for 5.2 yet, you can resolve this by editing the Web Filter policy:
in the attached picture we excluded filtering for *.dropbox.com
You can add the other sites as well.
However, from what I'm seeing in your post you didn't deploy the SSL Cert through group policy properly. See the first post.
You should only be having issues with apps which aren't using the native windows(OS) SSL cert repository.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am sorry for late reply.
Now i am using version 5.0 if version 5.2 can resolve this problem then i will upgrade firmware version to 5.2 and i will following your instruction temporary after completed upgrade to v5.2.
Thank !!!!!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
get openSSl create a certificate, install it on all the PCs. Install the certificate on the FG. Configure Transparent proxy, use Proxy-based on the outbound policy, under protocol options pick the proxy you created. on SSL inspection select custom deep inspection
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
save your 5.0 config first in case you need to go back to it
be careful that upgrading doesn't make your internet access stop working
be prepared to go back to 5.0 if that happens
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank for advice, i will backup configuration after upgrade to version 5.2,
I have one Question if i upgrade by internet and upgrade by TFTP, which one is the best way for me.
Now In Transparent Mode have only WebFiltering and Email Filtering that can update but other feature not update is Unreachable.
Thank!!!!!!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I prefer to always upgrade by tftp. Should the internet connection not be it at its best, the better option is to have the file you need locally in your machine and then upgrade. And like was mentioned before make sure you backup your configuration.
Also have a look at the upgrade path. I usually take a full backup config at every step of the update path to the desired destination.
Carlitos loves firewalls
NSE4 (5.4,6.0)
NSE5 (Fortimanager 6.0, Fortianalyzer 6.0)
NSE7 (Enterprise Firewall 6.0)
Carlitos loves firewalls
NSE4 (5.4,6.0)
NSE5 (Fortimanager 6.0, Fortianalyzer 6.0)
NSE7 (Enterprise Firewall 6.0)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
If you only want to block those specific domains there's no need to enable SSL/SSH inspection, when it's enabled the firewall will be placing it's self signed certificate in the middle of the request, so the trusted CA of the website will no longer be handling the encryption.
That warning is because the browser catch it as attempt of MITM attack, you can try to download and manually install the self signed CA.
You can read more about SSL/SSH inspection here.
Related Posts
- Issue with FORTINET Webfilter 176 Views
- VS SSL offloading with deep inspection 138 Views
- New SSID Recommendation 321 Views
- Seeking Recommendations 348 Views
- FortiGate 61F Blocked Web access after... 244 Views
Labels
-
FortiGate
6,851 -
FortiClient
1,357 -
5.2
801 -
5.4
639 -
FortiManager
587 -
FortiAnalyzer
432 -
6.0
416 -
5.6
362 -
FortiAP
357 -
FortiSwitch
352 -
FortiClient EMS
277 -
FortiMail
267 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
166 -
6.4
128 -
FortiNAC
115 -
FortiGuard
109 -
IPsec
93 -
FortiSIEM
91 -
FortiGateCloud
90 -
FortiCloud Products
85 -
SSL-VPN
75 -
FortiToken
74 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
45 -
FortiEDR
42 -
Fortivoice
41 -
SD-WAN
36 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiDNS
35 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
27 -
VLAN
26 -
FortiAuthenticator
25 -
FortiConnect
24 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiGate v5.2
17 -
FortiSwitch v6.2
16 -
DNS
16 -
Certificate
16 -
SAML
15 -
BGP
15 -
LDAP
15 -
VDOM
15 -
FortiMonitor
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Authentication
12 -
fortilink
12 -
Routing
12 -
FortiCASB
12 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Traffic shaping policy
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
FortiAP profile
5 -
WAN optimization
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.