Avoiding certificate errors when SSL inspection is applied to traffic is an in-demand topic. There are a number of methods that you can use to prevent these warnings: installing self-signed certificates on client devices, using a certificate signed by a trusted CA, or using the certificate-inspection profile for SSL inspection. However, for all of these methods, certificate errors can still occur when you’ve blocked access to a page using web filtering and the FortiGate attempts to display a replacement message for that site using HTTPS.
This error occurs because, by default, the FortiGate does not use the same certificate for SSL inspection and the encryption of the replacement messages. To avoid these errors, you should first determine which certificate your FortiGate uses for replacement messages using the CLI. The command differs depending on which version of FortiOS you are using:
FortiOS 5.2 and earlier:
config webfilter fortiguard
# get
cache-mode : ttl
cache-prefix-match : enable
cache-mem-percent : 2
ovrd-auth-port-http : 8008
ovrd-auth-port-https: 8010
ovrd-auth-port-warning: 8020
ovrd-auth-https : enable
warn-auth-https : enable
close-ports : disable
request-packet-size-limit: 0
ovrd-auth-hostname :
ovrd-auth-cert : Fortinet_Firmware
The certificate Fortinet_Firmware is used by default. To avoid errors, you can either change this certificate to the certificate used for SSL inspection or you can install this certificate on all client devices. Which solution you choose depends on your own environment and what certificates you are already using.
FortiOS 5.4 and later:
config user setting
# get
auth-type : http https ftp telnet
auth-cert : Fortinet_Factory
auth-ca-cert :
auth-secure-http : disable
auth-http-basic : disable
auth-timeout : 5
auth-timeout-type : idle-timeout
auth-portal-timeout : 3
radius-ses-timeout-act: hard-timeout
auth-blackout-time : 0
auth-invalid-max : 5
auth-lockout-threshold: 3
auth-lockout-duration: 0
auth-ports:
The certificate Fortinet_Factory is used by default. To avoid errors, you can either change this certificate to the certificate used for SSL inspection or you can install this certificate on all client devices. Which solution you choose depends on your own environment and what certificates you are already using.
For more information about SSL inspection and certificate errors, see the following resources:
- Preventing certificate warnings (5.2 | 5.4)
- Why you should use SSL inspection
The post Certificate errors for blocked websites appeared first on Fortinet Cookbook.