Tag Archives: https inspection

Fortigate HTTPS inspection Certificate error fixes

*Note – Most of these issues have been fixed in 5.2. By default now, if you select https inspection – Certificate inspection you will just get a blank page when you go to a https that is not allowed.

The Fortigate Web filter is amazing! I think it stands up to the best web filters out there.

But, like all webfilters SSL can be a bit tricky. Fortigate offers its own SSL Certifcate “Fortigate-CA-Proxy” to the client when it does a few things:

1. Deep packet inspection (imagine a man in the middle attack). This way the Fortigate sees all traffic that comes in the session even if it was encrypted.

2. When it sends its replacement message (Blocked) to the client.

Some problems come up with this. The cert has to be trusted by clients, this can be easily done if you have a internal CA, or you could create a Windows group policy to push the certificate into their trusted store. I know you might ask, what if I get a signed cert for this? The certificate is a CA-True certificate. That basically means you would have to get a certificate from a trusted publisher that says you are a public CA. I would say most CA’s would not give us one. But what if you want SSL inspection for Guest clients but don’t want them to see the cert error? The answer lies below friends. Something to remember is you have to have SSL inspection enabled on the firewall policy to get HTTPS inspection to work.

To have the Fortigate block the website without giving an error there are a few things that need to be done:

1. Select the webfilter to use https-url-scan to only look at the URL, not to use deep scanning

2. set the Fortigate to not respond with a replacement message. Remember it responds with a HTTPS blocked page – so  therefore you see the HTTPS cert.

As of Patch 7 this is a CLI command.

To enable HTTPS-url-scan which looks that the URL not the traffic going through:

config webfilter profile

edit default (or your profile name)

set options https-url-scan

end

To disable the HTTPS replacement message:

config webfilter profile

edit default (or your profile name)

set https-replacemsg disable

end

To give an example:

Lets say I block the category “social networking” and go to http://facebook.com it will be blocked. If I go to https://facebook.com it will show a blank screen – no error message, but will not work. Before enabling these commands I would see the error message, then after accepting the cert I would see the block page.

Note* there might be a way to have the replacement message be http, instead of https. I am looking into this.

 

Advertisements