Certificate errors for blocked websites

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

Avoiding certificate errors when SSL inspection is applied to traffic is an in-demand topic. There are a number of methods that you can use to prevent these warnings: installing self-signed certificates on client devices, using a certificate signed by a trusted CA, or using the certificate-inspection profile for SSL inspection. However, for all of these methods, certificate errors can still occur when you’ve blocked access to a page using web filtering and the FortiGate attempts to display a replacement message for that site using HTTPS.

This error occurs because, by default, the FortiGate does not use the same certificate for SSL inspection and the encryption of the replacement messages. To avoid these errors, you should first determine which certificate your FortiGate uses for replacement messages using the CLI. The command differs depending on which version of FortiOS you are using:

FortiOS 5.2 and earlier:

config webfilter fortiguard
# get 
cache-mode : ttl 
cache-prefix-match : enable 
cache-mem-percent : 2 
ovrd-auth-port-http : 8008 
ovrd-auth-port-https: 8010 
ovrd-auth-port-warning: 8020 
ovrd-auth-https : enable 
warn-auth-https : enable 
close-ports : disable 
request-packet-size-limit: 0 
ovrd-auth-hostname : 
ovrd-auth-cert : Fortinet_Firmware

The certificate Fortinet_Firmware is used by default. To avoid errors, you can either change this certificate to the certificate used for SSL inspection or you can install this certificate on all client devices. Which solution you choose depends on your own environment and what certificates you are already using.

FortiOS 5.4 and later:

config user setting 
# get
auth-type : http https ftp telnet 
auth-cert : Fortinet_Factory 
auth-ca-cert : 
auth-secure-http : disable 
auth-http-basic : disable 
auth-timeout : 5 
auth-timeout-type : idle-timeout 
auth-portal-timeout : 3 
radius-ses-timeout-act: hard-timeout 
auth-blackout-time : 0 
auth-invalid-max : 5 
auth-lockout-threshold: 3 
auth-lockout-duration: 0 
auth-ports:

The certificate Fortinet_Factory is used by default. To avoid errors, you can either change this certificate to the certificate used for SSL inspection or you can install this certificate on all client devices. Which solution you choose depends on your own environment and what certificates you are already using.

For more information about SSL inspection and certificate errors, see the following resources:

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
  • Abdulaziz Alatar

    You can give me more information please .
    If I change Fortinet_factory certificate to Fortinet_SSL certificate in config user setting,I don’t need to install certificate in PCs ?

    • Kerrie Newton

      Hello Adbulaziz,

      If you use the Fortinet_SSL certificate you will still need to install the cert on end user PCs.

      For a step by step guide, please see the following recipe:

      Preventing certificate warnings (default certificate)
      http://cookbook.fortinet.com/preventing-certificate-warnings-defaultcert-56/

      Regards,
      Kerrie

      • Janes Chen

        As is stated in the cookbook, “To avoid errors, you can either change this certificate to the certificate used for SSL inspection or you can install this certificate on all client devices.”
        But according to your replying, changing “user setting–>auth-cert” to Fortinet_ SSL alone still does not make any difference ,right ?
        I have tested this by myself, and it is sure that only changing the “user setting—>auth cert” in the cli interface does NOT work. But when I downloaded the cert “Fortinet_ SSL” from the appliance and installed it on my computer, still got the erro message for websites blocked by webfilter. Can you give more details about this?
        1.ssl-ssh-profile set to certification in ipv4 policy and certs used for usersetting–auth-cert and ssl-ssh certification is set to the same
        https://uploads.disquscdn.com/images/7bf4930919ec459056dfe83d4fec943dbf77f3e8f83c6eeeb36eeb6af54da301.png
        2.webfilter static entry is added and selected in the same ipv4 policy;
        3.Cert Fortinet-SSL is installed in client OS (Win7)
        4.Testing result:Still Error!
        Just one more complaint, please maybe you can take into consideration:
        Please Always make sure that what you publish is tested, because we are all depending on you when we are here to ask. And in the former experience for me with fortinet, there are a lot of things in KBs or cookbooks that DOES NOT work as strictly following your recipe. This is quite confusing and can cause lots of time wasted, proably for lots of people. The direct result is that both SEs and customers could lose faith in Fortinet during this.

      • Janes Chen

        And maybe one more thing
        Nowadays more and more enterprises are paying more attention to cyber-security. The continuousity of one security product is quite important according to many of my customers, especially when it comes to OS WEBUI contimuousity.
        FortiOS 4.*/5.2.*/5.4.*/5.6.*, there are such a lot of differences in webui configs between them and when there is a need to upgrade, the usual answer according to our support SE is “DO NOT UPGRADE TO THE LATEST VERSION IF NOT NECESSARY!”
        While the same time, other Vendors we deal with, could probably always say “PLEASE CONSIDER UPGRADING TO THE LATEST VERSION IF POSSIBLE” and the choice is left for us and customer.