Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Paulsla
New Contributor

Web filter Blocking gives Certificate error

On Version 6

When enabling SSL inspection and web filtering when a page is blocked the redirect to the the message gives a certificate error.

Is there any way to choose the certificate that is used for the blocked page message.

 

My understanding is as follows:

[ol]
  • Website is recognized as block in web filter category
  •  Redirect to block page IP of local fortigate
  • URL stays as normal hence the fortigate Certificate does not match the URL[/ol]

    Have seen solutions saying import certificate to the client machine however this won't work as the IP on the signed cert won't match the DNS name of the site being accessed.

     

    I remember on lower versions it would do a URL redirect to a http site on the fortigate what am I doing wrong here?

     

  • 4 REPLIES 4
    Dave_Hall
    Honored Contributor

    Perhaps something like KB#FD37342 is needed?

     

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
    Forti500D
    New Contributor III

    are you enable Deep SSL inspection??? then select defaults SSL Inspection and try it, also check in what category that webpage is included in the web filter and make sure it's not blocked 

    sw2090
    Honored Contributor

    yes bascially you can change the cert in the ssl insepction profile settings.

    Before that you must import the new cert into the certificates section of fortios.

    The Problem hiere is is the cert type you need. Deep Inspection is needed to webfilter https and deep inspection is a man-in-the-middle method. So it needs to decrypt encrypted traffic, look at it, filter it and then re-encrypt the traffic again. It cannot do that with the original cert because it doesn't have the private key. So it will use a local installed cert. Default is to use the built in Fortinet cert. This is unrusty and I think its also expried.

    The Problem is for this you need a sub-ca cert. Most commercial CAs do not soll those unfortunately.

     

    We workarounded this by having or own company internal CA. THe CA cert of this is distributed to all our clients and it can generate sub-ca certs...

    -- 

    "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

    -- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
    Dave_Hall
    Honored Contributor

    I'm pretty sure Paul is referring to the web filter warning message itself.  The KB I have linked to, shows how to set up/link the Fortinet_CA_SSLProxy security certificate to allow the warning message to appear. 

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
    Labels
    Top Kudoed Authors