FortiGate – Configuration (Part 3) – Web Filtering | Read-only SSL handshake inspection | Troubleshooting | Adding FortiGate CA Certificate to Windows 10

The Security Profile – Web Filter

FortiOS has a neat section for all the Security Profiles; this GUI is straightforward and intuitive. So let’s see what we have by default.

Looking to catch up up the FortiGate Series? – Make sure you check the Main Page for it –> FortiGate – Configuration Series.

UntitledImage

From the screenshot, we can clearly see what these profiles are being used for. This time, I will make sure to copy the Default one instead of creating a new Profile. You can do this by right-clicking on the default profile, then select Clone. This will open a new section to adjust the name or accept the default Fortinet created for you, which reads: “Clone of Default.”

After changing the name, you want to ensure a new comment is created describing your profile.

Next, you will select the Feature Set, Flow-Based or Proxy-Based

This time I will be using Proxy-Based as the Feature Set. Although my requirements only talk about blocking all access to social media, know that there are a lot of features that you can use with a Web Filter Profile.

** This is right out of the Profile Configuration *** The items marked with a RED P, are only available if you are using Proxy-Based Mode.

UntitledImage

Under the FortiGuard Category Section, let’s find all Social Media.

UntitledImage

This may be all we have to do for now; after you look at other settings, please save this Profile. But our work is not complete yet, as we need to assign this profile to a Firewall Policy.

Before that, I will make sure I can log in to social media from my Windows Machine to make sure we are all good!

UntitledImage

So far, I think I’m in a good place, as I still have access to Social Media.

Applying Security Profile

As mentioned before, this profile needs to be applied to our Firewall Policy. We need to locate the policy that matches our traffic and apply the Web Filter profile. Our lab is super simple; we only have 1 Firewall policy. If you look at the Column called Security Profile, we are not running any inspection. And we have no other Security Profiles assigned to it.

UntitledImage

Open your Firewall Policy, go down to the Security Profiles Section. Select the Web Filter Policy and choose the Web Filter you created.

UntitledImage

Note that when this Web Filter is selected, there will be a warning next to SSL Inspection. It basically says that this profile should not be selected with any other UTM Security Profiles/Features, as our config may not apply.
UntitledImage

So I will select the less disruptive option, which is the certificate-inspection. This one is a read-only SSL Handshake profile.

UntitledImage

Once we have all that configured, we are ready to test and troubleshoot!

UntitledImage

Testing

So the policy is applied and “working,” however, when I go to the main Instagram page, it still allows me to see it – But I have not tried login yet. Let’s see if we get blocked, then.

UntitledImage

UntitledImage

Trying Login into Twitter – I get the following error – which is telling me that Fortinet is in the way and blocking me based on my actions.

UntitledImage

Let’s see if something different in the Web Filter Report looks like it worked.
UntitledImage

Although it worked, the page presented to me seems a bit creepy, and an end-user may feel the same; let’s see if there is a better way to block this access more politely.

Troubleshooting Response Page

After looking at a few things, I noticed that I had 2 things I needed to correct. The one  Firewall Policy I had, was configured initially as Flow-Based, so I got a warning.

UntitledImage

I modified my Policy to Proxy-Based, now the alert was gone! But I was still getting the same message. It was getting blocked, but there was no way to see a real good error that indicated that my company policy was blocking me. Looking closely, it’s a certificate Error. FortiGate is inspecting and changing the certificates of the Blocked pages + wanted to show me a blocked page that is only available as HTTPS

Adding the Fortinet CA Certificate to Windows 10

I need to add the CA Certificate of this FortiGate to the computer to see the Block messages. So I decided to download it. Here is where you go to download it

UntitledImage

I needed to make sure it was in my trusted certificate store; here are some steps to do this.

Right-click the file and select Install
UntitledImage

I decided to install it under the Local Machine Store – This is so other users that log into the computer can also see it.

UntitledImage

Once you do that, you may want to select the Store you want to place it in; I did that as follows. Make sure it is under the Trusted Root CAs.

UntitledImage

We are ready to test again!

NOTE: Before we go anywhere, the process is painful if you are dealing with multiple computers and applying these policies. Keep in mind that if you are dealing with Windows computers that are part of a Windows Domain, there are options. GPO is one of them, and it’s super simple to do. I decided to include a quick walkthrough from Microsoft itself –> Distribute Certificate to Client Computers by Using Group Policy.

Testing Again

This time we are successful!!

UntitledImage

CHanging the message to something you choose it si easy – Fortinet added pre-configured Web Pages that  you could find here:

UntitledImage

If you know HTML, you can change this page and adjust the messages. I made a quick adjustment to the message – let’s see if it works.

UntitledImage

What is next?

This quick Series of configuring a FortiGate was super fun to do! I will continue playing with the features and will add more posts.

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
Started working professionally in 2003, Andres is specialized in Unified Communications and Collaboration technologies | Enterprise Networks and Network Security. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations, including Cisco technologies, such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn, or Facebook.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top