Technical Tip : FortiGuard Web filtering - HTTPS sessions blocked due to invalid certificate or when using an external proxy

When external explicit proxy is used, the browser will initiate the HTTPS session with an HTTP CONNECT request. Once this request is successful, the client will initiate an SSL handshake to start the secure connection.

In the FortiGate, the CONNECT request and response will be treated as one request while the SSL handshake will be treated as a second request. The CONNECT request is filtered using the full URL as available in the HTTP request header according to the URL filtering rules.

The second request, the SSL handshake, is filtered using the HTTPS filtering settings. This is often blocked because the site uses an invalid certificate.

In some occasions, when Fortiguard URL filtering is used, the URL of web sites that are permitted either by rating or explicitly listed in the whitelist are still blocked. The logged event is:

"The certificate for the HTTPS session contained an invalid domain name. The session has been filtered by IP only."

This log message is logged anytime the request hostname/domain name (from the HTTP headers or SSL certificate) is determined not to be valid or it is not found. It indicates that the IP address has been substituted for the hostname to allow web-filtering to still take place.

If 'block-invalid-urls' is enabled in the HTTP or HTTPS settings, the status in the log message will be 'blocked' instead of 'filtered'.


If  the HTTP/HTTPS request are done to an external proxy, the real IP address of the destination WEB server server is not known, and therefore the rating queries by either or both the IP address and the domain name are not reliable.