Fortigate HTTPS inspection Certificate error fixes

*Note – Most of these issues have been fixed in 5.2. By default now, if you select https inspection – Certificate inspection you will just get a blank page when you go to a https that is not allowed.

The Fortigate Web filter is amazing! I think it stands up to the best web filters out there.

But, like all webfilters SSL can be a bit tricky. Fortigate offers its own SSL Certifcate “Fortigate-CA-Proxy” to the client when it does a few things:

1. Deep packet inspection (imagine a man in the middle attack). This way the Fortigate sees all traffic that comes in the session even if it was encrypted.

2. When it sends its replacement message (Blocked) to the client.

Some problems come up with this. The cert has to be trusted by clients, this can be easily done if you have a internal CA, or you could create a Windows group policy to push the certificate into their trusted store. I know you might ask, what if I get a signed cert for this? The certificate is a CA-True certificate. That basically means you would have to get a certificate from a trusted publisher that says you are a public CA. I would say most CA’s would not give us one. But what if you want SSL inspection for Guest clients but don’t want them to see the cert error? The answer lies below friends. Something to remember is you have to have SSL inspection enabled on the firewall policy to get HTTPS inspection to work.

To have the Fortigate block the website without giving an error there are a few things that need to be done:

1. Select the webfilter to use https-url-scan to only look at the URL, not to use deep scanning

2. set the Fortigate to not respond with a replacement message. Remember it responds with a HTTPS blocked page – so  therefore you see the HTTPS cert.

As of Patch 7 this is a CLI command.

To enable HTTPS-url-scan which looks that the URL not the traffic going through:

config webfilter profile

edit default (or your profile name)

set options https-url-scan

end

To disable the HTTPS replacement message:

config webfilter profile

edit default (or your profile name)

set https-replacemsg disable

end

To give an example:

Lets say I block the category “social networking” and go to http://facebook.com it will be blocked. If I go to https://facebook.com it will show a blank screen – no error message, but will not work. Before enabling these commands I would see the error message, then after accepting the cert I would see the block page.

Note* there might be a way to have the replacement message be http, instead of https. I am looking into this.

 

Advertisements

9 responses to “Fortigate HTTPS inspection Certificate error fixes

  1. eblackey July 3, 2014 at 7:58 pm

    Hey, I’ve got this configuration enabled on a 5.07 config. For some reason, I still get the Fortigate SSL certificate. Here is what the profile looks like. Thanks!

    config webfilter profile
    edit “webfilter.test”
    set options https-url-scan
    set https-replacemsg disable
    set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override
    config override
    set ovrd-user-group “”
    end
    config web
    set urlfilter-table 1
    end
    config ftgd-wf
    config filters
    edit 1
    set category 142
    next
    edit 2
    set category 140
    next
    edit 3
    set category 141
    next
    end
    end
    next
    end

  2. Degies August 12, 2014 at 11:14 pm

    Does this work on 5.2 as well ?

    • cjcott01 August 13, 2014 at 1:47 pm

      All these are actually done by default in 5.2. They changed how filtering works.

      When you enable ssl inspection (default) certificate-inspection it will just give you a blank screen , and not redirect you to a https web page.

      I need to write a blog entry on it, feel free to let me know if you have any questions.

  3. JL November 20, 2014 at 2:56 pm

    cjcott01, Thanks for your post!! Really, you have helped me a lot !! Facebook and Twitter were working with the webfiltter enabled and was having a lot of problems when i enable SSL Inspector.

    Now, the pages what are including in the webfiltter, show a screen with the message “Certificate Error”

    • cjcott01 November 20, 2014 at 3:40 pm

      Thats Great!
      You need to run the command – https replacement-message disable – in CLI under config webfilter profile – edit profilename.

      In 5.2+ which I recommend you upgrading to, you just modify the policy to use “Certificate inspection” for SSL inspection. Be glad to help. My phone is 502-592-7189.

  4. Marc March 25, 2015 at 5:42 pm

    One more observation in 5.2.2 (maybe also in earlier 5.2.x):

    In the SSL/SSH Inspection options, there is a dropdown menu to select which CA certificate to use. Somewhat surprisingly, this option is available for *both* settings “SSL certificate inspection” and “Full SSL Inspection”.

    Having to select a certificate for “Full SSL Inspection” is obvious: You need to define which CA certificate is used to fake-sign the certificate presented to the user.

    However, “SSL certificate inspection” should not actually need a CA certificate to do it’s job – it can inspect CommonNames in server certificates without being an Man-in-the-Middle and having to on-the-fly-generate and fake-sign any certificates.

    By trial, we found that the cert you select with “SSL certificate inspection” is used to sign the error messages (“Web page blocked”), (a.k.a the “https-replacemsg”).

    Assuming that you cannot or want not to go down the “Full SSL Inspection” path, and you want to spare your users the certificate mismatch and red browser address bar, but still want to present explicit/verbose https-replacemsg to them, you can achieve this by selecting a CA certificate that is trusted in your user’s environment.

    If you happen to have an internal PKI/CA in your domain, you may want to consider getting a (Sub)CA certificate from there – else of course, you may choose to distribute the Fortigate CA cert from your Fortigate unit.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: