Avoiding certificate errors when SSL inspection is applied to traffic is an in-demand topic. There are a number of methods that you can use to prevent these warnings: installing self-signed certificates on client devices, using a certificate signed by a trusted CA, or using the certificate-inspection profile for SSL inspection. However, for all of these methods, certificate errors can still occur when you’ve blocked access to a page using web filtering and the FortiGate attempts to display a replacement message for that site using HTTPS.
This error occurs because, by default, the FortiGate does not use the same certificate for SSL inspection and the encryption of the replacement messages. To avoid these errors, you should first determine which certificate your FortiGate uses for replacement messages using the CLI. The command differs depending on which version of FortiOS you are using:
FortiOS 5.2 and earlier:
config webfilter fortiguard # get cache-mode : ttl cache-prefix-match : enable cache-mem-percent : 2 ovrd-auth-port-http : 8008 ovrd-auth-port-https: 8010 ovrd-auth-port-warning: 8020 ovrd-auth-https : enable warn-auth-https : enable close-ports : disable request-packet-size-limit: 0 ovrd-auth-hostname : ovrd-auth-cert : Fortinet_Firmware
The certificate Fortinet_Firmware is used by default. To avoid errors, you can either change this certificate to the certificate used for SSL inspection or you can install this certificate on all client devices. Which solution you choose depends on your own environment and what certificates you are already using.
FortiOS 5.4 and later:
config user setting # get auth-type : http https ftp telnet auth-cert : Fortinet_Factory auth-ca-cert : auth-secure-http : disable auth-http-basic : disable auth-timeout : 5 auth-timeout-type : idle-timeout auth-portal-timeout : 3 radius-ses-timeout-act: hard-timeout auth-blackout-time : 0 auth-invalid-max : 5 auth-lockout-threshold: 3 auth-lockout-duration: 0 auth-ports:
The certificate Fortinet_Factory is used by default. To avoid errors, you can either change this certificate to the certificate used for SSL inspection or you can install this certificate on all client devices. Which solution you choose depends on your own environment and what certificates you are already using.
For more information about SSL inspection and certificate errors, see the following resources:
Latest posts by Victoria Martin (see all)
- Episode 16: FortiGate Troubleshooting – Common Issues & Solutions - September 6, 2017
- Security Fabric Collection - August 24, 2017
- FortiManager in the Security Fabric - August 24, 2017