Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Holy
Contributor

SSL Certificate Inspection Only Certificate Warning

Hello Guys,

 

this is realy annoying. with 5.2 we never had Problems using SSL Inspection Profile "Certificate-Inspection" to be able to block HTTPS Websites and it was working with no Problem.

 

now with 5.4.6 for every HTTPS Site that is on a blocked category we first get a Certificate Warning Message from FortiGate via HTTPS and therefore first there is a "Certificate Warning" Message.

 

if you proceed and accepts then you see the Replacement Message from FortiGAte "This Category is blocked"

 

What has been changed in 5.4 ?

 

i know we can disable the HTTPS Replacement Message on the Web Filter Profile but then the Connection just get refused and users wont see the reason why the site has been blocked.

 

Installing FortiGate CA on all Workstations is also not a solution for us.

 

The Thing is, on 5.2 it worked without Problems.

 

Do you have any Suggestion how to block https Sites not getting this warning Messages?

 

Thank you

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
9 REPLIES 9
n00b
New Contributor

This is indeed a problem with us also.

However, we only get a certificate warning and unable to proceed.

So, end-users don't know why a page is blocked and thinks that there is probably no internet prompting them to call the desktop support.

 

 

amargys
New Contributor

Hi guys,

 

Have you found the solution for this?

 

Thanks,

ronildo1

amargys wrote:

Hi guys,

 

Have you found the solution for this?

 

Thanks,

Hello, this is exactly a problem that i have, we have one client that have a guest wifi and want to block Web Sites like pornography and bandwidth consume and other, but the guest don't have the certificate installed on their Smartphones, tablets and notebooks, what to do in this case?  The guest does'nt have the certificate because are guests lol. 

 

Thank you. if anyone find the solution.

emnoc
Esteemed Contributor III

The solution is to use a  trusted-cert  on the fortigate  and trusted by the webclient. What you could do is to inspect the ca-chain in the browser. 

 

I don't know if  the means exist to  redirect and send the  replacement message back in  "http" and not "https"

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
sw2090
Honored Contributor

Afaik the problem is that the built-in certificate shipped with the fortigates is no longer valid (I don't know why fortinet still ship it - probably because it's in their firmware images). Since this is no longer valid and ssl inspection uses it to pass the encrypted connection from th FGT to the client the client will then get a certificate warning of course.

Anyhow this used to be a self signed cert requiring your clients to get and install the fortinet ca...

 

As said the soliution is: put a valid ssl cert onto your FGT and tell your ssl inspection profile(s) to use this instead of the built in one.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
emnoc
Esteemed Contributor III

 

 

 

Afaik the problem is that the built-in certificate shipped with the fortigates is no longer valid (I don't know why fortinet still ship it - probably because it's in their firmware images).

 

What do you mean not valid? ( the cert is delivered with the FGT is a valid cert, has CN, date, serial#,etc...)

 

 

None of the  certificates are "valid" from a  trust point. You need to import it into your  OS truststore and trust it. Once you do that , you browser will  trust the  issuer from the fortigate for HTTPS sessions being decrypted

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jmaurelli
New Contributor

Interested to see the reply from someone in the know. My situation is similar.

 

FortiOS 5.6.4 200D and I'm unable to web filter a site because of HTTPS. I'm still working through the steps to accomplish this. I'm expecting the same results you have. 

jmaurelli
New Contributor

I have configured our web filter and am getting the same results. A certificate warning, the user has to click through, then they see the Block page.

ronildo1
New Contributor

Do you set the deep-inspection our certificate inspection? And be sure that the certificate is installed on the machine? 

 

This is a strange behavior, because the basic is certificate installed on the machine and the ssl-inspection enabled. 

Labels
Top Kudoed Authors