Technical Tip: How to allow/block the Expired/Invalid Certificates in firewall ssl-ssh-profile

FortiGate.

v6.0.

config firewall ssl-ssh-profile

    edit <SSL-SSH-PROFILE-NAME>

        set allow-invalid-server-cert [enable | disable]

end

v6.2.

config firewall ssl-ssh-profile

    edit <SSL-SSH-PROFILE-NAME>

        config <ssl|https|ftps|imaps|pop3s|smtps>

            set invalid-server-cert [allow|block]

end

v6.4 and above.

config firewall ssl-ssh-profile

    edit <SSL-SSH-PROFILE-NAME>

        config <ssl|https|ftps|imaps|pop3s|smtps>

            set expired-server-cert [allow|block|ignore]

end

Configuration requirements.

• Firewall Policy Requirements:
  
  • Web-filter.
  • Proxy-based inspection.
• SSH/SSL inspection: Certificate inspection enabled (deep-inspection optional).

Configuration Example to block expired and revoked certificates (showing only related elements).

SSL/SSH certificate:

F2 (Clone of deep-in~ion) # show
config firewall ssl-ssh-profile
    edit "Clone of deep-inspection"

        config https
            set ports 443
            set expired-server-cert block
            set revoked-server-cert block

Firewall policy:

config firewall policy
    edit 1
        set name "IN-OUT-H"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "Clone of deep-inspection"
        set webfilter-profile "default"
    next
end