FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ojacinto
Staff
Staff
Article Id 198458
Description
This article describes how to avoid certificate error when a web filter override is being used to control website access.

The article assumes that the override web filter and firewall policies to allow the communication have already been configured.

ojacinto_FD37342_tn_FD37342-1.jpg

ojacinto_FD37342_tn_FD37342-2.jpg

Solution
After the rating override is configured (web filter override, firewall policy and override users) it is necessary to configure on the following settings on the FortiGate:
config webfilter fortiguard
set cache-mode ttl
set cache-prefix-match enable
set cache-mem-percent 2
set ovrd-auth-port-http 8008
set ovrd-auth-port-https 8010         <<<<----------
set ovrd-auth-port-warning 8020
set ovrd-auth-https enable
set warn-auth-https disable
set close-ports disable
set request-packet-size-limit 0
set ovrd-auth-hostname ''
set ovrd-auth-cert "Fortinet_Firmware"   >>>>>>>>>   default certificate
end

The certificate used on the SSL inspection is  "Fortinet_CA_SSLProxy", so this certificate must be configured on the webfilter FortiGuard web filter:
# config webfilter fortiguard
# set ovrd-auth-cert Fortinet_CA_SSLProxy
# end

The certificate for the users settings must also be defined:
# config user setting
# set auth-ca-cert Fortinet_CA_SSLProxy
# end

The correct operation can now be checked.  Use a web site where the FortiGuard web filter alert is shown, for example:

ojacinto_FD37342_tn_FD37342-3.jpg

Using click to proceed with the override the portal to enter username and password without any certificate error:

ojacinto_FD37342_tn_FD37342-4.jpg

After entering the correct data, browsing of the webpage will be permitted:

ojacinto_FD37342_tn_FD37342-5.jpg

Contributors