Hot!SSL Certificate Inspection Only Certificate Warning

Author
Holy
Gold Member
  • Total Posts : 164
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/07 03:56:56
  • Status: offline
2017/09/22 01:43:55 (permalink) 5.4
0

SSL Certificate Inspection Only Certificate Warning

Hello Guys,
 
this is realy annoying. with 5.2 we never had Problems using SSL Inspection Profile "Certificate-Inspection" to be able to block HTTPS Websites and it was working with no Problem.
 
now with 5.4.6 for every HTTPS Site that is on a blocked category we first get a Certificate Warning Message from FortiGate via HTTPS and therefore first there is a "Certificate Warning" Message.
 
if you proceed and accepts then you see the Replacement Message from FortiGAte "This Category is blocked"
 
What has been changed in 5.4 ?
 
i know we can disable the HTTPS Replacement Message on the Web Filter Profile but then the Connection just get refused and users wont see the reason why the site has been blocked.
 
Installing FortiGate CA on all Workstations is also not a solution for us.
 
The Thing is, on 5.2 it worked without Problems.
 
Do you have any Suggestion how to block https Sites not getting this warning Messages?
 
Thank you

NSE 8 
NSE 1 - 7
 
#1

9 Replies Related Threads

    n00b
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/07/29 19:44:28
    • Status: offline
    Re: SSL Certificate Inspection Only Certificate Warning 2017/10/12 23:27:51 (permalink)
    0
    This is indeed a problem with us also.
    However, we only get a certificate warning and unable to proceed.
    So, end-users don't know why a page is blocked and thinks that there is probably no internet prompting them to call the desktop support.
     
     
    #2
    amargys
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/02/10 04:14:13
    • Status: offline
    Re: SSL Certificate Inspection Only Certificate Warning 2018/06/21 03:15:29 (permalink)
    0
    Hi guys,
     
    Have you found the solution for this?
     
    Thanks,
    #3
    ronildo@secureway.com.br
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/12/28 11:45:31
    • Status: offline
    Re: SSL Certificate Inspection Only Certificate Warning 2018/06/21 05:36:59 (permalink)
    0
    amargys
    Hi guys,
     
    Have you found the solution for this?
     
    Thanks,




    Hello, this is exactly a problem that i have, we have one client that have a guest wifi and want to block Web Sites like pornography and bandwidth consume and other, but the guest don't have the certificate installed on their Smartphones, tablets and notebooks, what to do in this case?  The guest does'nt have the certificate because are guests lol. 
     
    Thank you. if anyone find the solution.
    #4
    emnoc
    Expert Member
    • Total Posts : 4991
    • Scores: 306
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL Certificate Inspection Only Certificate Warning 2018/06/21 09:29:24 (permalink)
    0
    The solution is to use a  trusted-cert  on the fortigate  and trusted by the webclient. What you could do is to inspect the ca-chain in the browser. 
     
    I don't know if  the means exist to  redirect and send the  replacement message back in  "http" and not "https"
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #5
    jmaurelli
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/05/27 07:24:57
    • Status: offline
    Re: SSL Certificate Inspection Only Certificate Warning 2018/06/29 08:36:57 (permalink)
    0
    Interested to see the reply from someone in the know. My situation is similar.
     
    FortiOS 5.6.4 200D and I'm unable to web filter a site because of HTTPS. I'm still working through the steps to accomplish this. I'm expecting the same results you have. 
    #6
    jmaurelli
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/05/27 07:24:57
    • Status: offline
    Re: SSL Certificate Inspection Only Certificate Warning 2018/06/29 08:43:33 (permalink)
    0
    I have configured our web filter and am getting the same results. A certificate warning, the user has to click through, then they see the Block page.
    #7
    sw2090
    Gold Member
    • Total Posts : 174
    • Scores: 10
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: SSL Certificate Inspection Only Certificate Warning 2018/07/04 23:19:10 (permalink)
    0
    Afaik the problem is that the built-in certificate shipped with the fortigates is no longer valid (I don't know why fortinet still ship it - probably because it's in their firmware images). Since this is no longer valid and ssl inspection uses it to pass the encrypted connection from th FGT to the client the client will then get a certificate warning of course.
    Anyhow this used to be a self signed cert requiring your clients to get and install the fortinet ca...
     
    As said the soliution is: put a valid ssl cert onto your FGT and tell your ssl inspection profile(s) to use this instead of the built in one.
    post edited by sw2090 - 2018/07/04 23:20:26
    #8
    emnoc
    Expert Member
    • Total Posts : 4991
    • Scores: 306
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL Certificate Inspection Only Certificate Warning 2018/07/05 06:58:55 (permalink)
    0
     
     

     
    Afaik the problem is that the built-in certificate shipped with the fortigates is no longer valid (I don't know why fortinet still ship it - probably because it's in their firmware images).

     
    What do you mean not valid? ( the cert is delivered with the FGT is a valid cert, has CN, date, serial#,etc...)
     
     
    None of the  certificates are "valid" from a  trust point. You need to import it into your  OS truststore and trust it. Once you do that , you browser will  trust the  issuer from the fortigate for HTTPS sessions being decrypted
     
    Ken

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #9
    ronildo@secureway.com.br
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/12/28 11:45:31
    • Status: offline
    Re: SSL Certificate Inspection Only Certificate Warning 2018/07/05 10:50:45 (permalink)
    0
    Do you set the deep-inspection our certificate inspection? And be sure that the certificate is installed on the machine? 
     
    This is a strange behavior, because the basic is certificate installed on the machine and the ssl-inspection enabled. 
    #10
    Jump to:
    © 2018 APG vNext Commercial Version 5.5