FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bpozdena_FTNT
Article Id 198693

Description

This article describes how to configure the FortiGate to sign the ‘Access Denied’ replacement message using a custom certificate instead of the default ‘Fortinet_CA_SSL’ certificate


Solution
In an Explicit Proxy environment, an end-user attempting to browse a URL using HTTP will be returned a denied message such as ‘Access Denied: The page you requested has been blocked by a firewall policy restriction’ in case the access to that URL is denied by an Explicit Proxy Firewall Policy.

 
ddf.png
In case the same end-user tries browsing the same URL using HTTPS, the user will be returned the same denied message, but this time, the message will be signed using the ‘Fortinet_CA_SSL’ certificate by default. 

FortiOS v5.4 – 6.0.
# config user setting
    set auth-ca-cert "<custom_CA_certificate>"
end
FortiOS v6.2.
# config web-proxy global
    set ssl-ca-cert "<custom_CA_certificate>"
end
Once the command is executed, the ‘Access Denied: …’ replacement message will be signed using the <custom_CA_certificate>.


Related links:

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-authentication-54/Certificates.htm#E...

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/769966/web-proxy-global-settings

https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/316620/web-proxy-global

Related Articles

Technical Note : Blocking HTTPS sites