Fortigate HTTPS inspection Certificate error fixes
Posted by on May 28, 2014
*Note – Most of these issues have been fixed in 5.2. By default now, if you select https inspection – Certificate inspection you will just get a blank page when you go to a https that is not allowed.
The Fortigate Web filter is amazing! I think it stands up to the best web filters out there.
But, like all webfilters SSL can be a bit tricky. Fortigate offers its own SSL Certifcate “Fortigate-CA-Proxy” to the client when it does a few things:
1. Deep packet inspection (imagine a man in the middle attack). This way the Fortigate sees all traffic that comes in the session even if it was encrypted.
2. When it sends its replacement message (Blocked) to the client.
Some problems come up with this. The cert has to be trusted by clients, this can be easily done if you have a internal CA, or you could create a Windows group policy to push the certificate into their trusted store. I know you might ask, what if I get a signed cert for this? The certificate is a CA-True certificate. That basically means you would have to get a certificate from a trusted publisher that says you are a public CA. I would say most CA’s would not give us one. But what if you want SSL inspection for Guest clients but don’t want them to see the cert error? The answer lies below friends. Something to remember is you have to have SSL inspection enabled on the firewall policy to get HTTPS inspection to work.
To have the Fortigate block the website without giving an error there are a few things that need to be done:
1. Select the webfilter to use https-url-scan to only look at the URL, not to use deep scanning
2. set the Fortigate to not respond with a replacement message. Remember it responds with a HTTPS blocked page – so therefore you see the HTTPS cert.
As of Patch 7 this is a CLI command.
To enable HTTPS-url-scan which looks that the URL not the traffic going through:
config webfilter profile
edit default (or your profile name)
set options https-url-scan
end
To disable the HTTPS replacement message:
config webfilter profile
edit default (or your profile name)
set https-replacemsg disable
end
To give an example:
Lets say I block the category “social networking” and go to http://facebook.com it will be blocked. If I go to https://facebook.com it will show a blank screen – no error message, but will not work. Before enabling these commands I would see the error message, then after accepting the cert I would see the block page.
Note* there might be a way to have the replacement message be http, instead of https. I am looking into this.
Hey, I’ve got this configuration enabled on a 5.07 config. For some reason, I still get the Fortigate SSL certificate. Here is what the profile looks like. Thanks!
config webfilter profile
edit “webfilter.test”
set options https-url-scan
set https-replacemsg disable
set ovrd-perm bannedword-override urlfilter-override fortiguard-wf-override contenttype-check-override
config override
set ovrd-user-group “”
end
config web
set urlfilter-table 1
end
config ftgd-wf
config filters
edit 1
set category 142
next
edit 2
set category 140
next
edit 3
set category 141
next
end
end
next
end
Hey Thanks for commenting!
Let me add this profile to my fortigate. Could Deep scanning be on?
Are you in firefox? Also, make sure you are using the correct website. Do you mind if I test with your website? What is the URL?
Does this work on 5.2 as well ?
All these are actually done by default in 5.2. They changed how filtering works.
When you enable ssl inspection (default) certificate-inspection it will just give you a blank screen , and not redirect you to a https web page.
I need to write a blog entry on it, feel free to let me know if you have any questions.
cjcott01, Thanks for your post!! Really, you have helped me a lot !! Facebook and Twitter were working with the webfiltter enabled and was having a lot of problems when i enable SSL Inspector.
Now, the pages what are including in the webfiltter, show a screen with the message “Certificate Error”
Thats Great!
You need to run the command – https replacement-message disable – in CLI under config webfilter profile – edit profilename.
In 5.2+ which I recommend you upgrading to, you just modify the policy to use “Certificate inspection” for SSL inspection. Be glad to help. My phone is 502-592-7189.
One more observation in 5.2.2 (maybe also in earlier 5.2.x):
In the SSL/SSH Inspection options, there is a dropdown menu to select which CA certificate to use. Somewhat surprisingly, this option is available for *both* settings “SSL certificate inspection” and “Full SSL Inspection”.
Having to select a certificate for “Full SSL Inspection” is obvious: You need to define which CA certificate is used to fake-sign the certificate presented to the user.
However, “SSL certificate inspection” should not actually need a CA certificate to do it’s job – it can inspect CommonNames in server certificates without being an Man-in-the-Middle and having to on-the-fly-generate and fake-sign any certificates.
By trial, we found that the cert you select with “SSL certificate inspection” is used to sign the error messages (“Web page blocked”), (a.k.a the “https-replacemsg”).
Assuming that you cannot or want not to go down the “Full SSL Inspection” path, and you want to spare your users the certificate mismatch and red browser address bar, but still want to present explicit/verbose https-replacemsg to them, you can achieve this by selecting a CA certificate that is trusted in your user’s environment.
If you happen to have an internal PKI/CA in your domain, you may want to consider getting a (Sub)CA certificate from there – else of course, you may choose to distribute the Fortigate CA cert from your Fortigate unit.
Pingback: fortigate blank page after login Page Info & Instructions Online User Account Activation - Odollars