Skip to main content
sean3
sean3
Explorer II
January 22, 2025
Question

cannot access google via RIA solution on fortigate

  • January 22, 2025
  • 1 reply
  • 1351 views

greetings guys,

 

we use fortigate with firmware 7.2.10

 

I have an interesting topic. I am in a global organization with 4 sites globally. One is in China, the rest 3 are in Sweden, a totally free Internet world. My colleague in China site wants to access www.google.com but you know it is banned within China mainland. So, we are considering redirecting the https traffic destined for https service of www.google.com to our Sweden site.

we created an SD-WAN rule, with FQDN *.google.com as the destination. The outgoing interface, an ipsec tunnel interface based on MPLS to our Sweden site, is manually assigned to the sd-wan rule.

I did see the 443 traffic hit the SD-WAN rule and traffic log was seen both from China site firewall and Sweden site firewall, but the access was interrupted, and the browser gives me the error net::err_cert_common_name_invalid

Then I was thinking we need more SD-WAN rule to redirect other traffic (let's say, for certificate validation traffic ) to Sweden site maybe? But how can we identify what exactly the rule should be?

 

Thanks for any advice.

1 reply

AEK
SuperUser
AEK
SuperUser
January 22, 2025

Hi Sean

When the browser finds a certificate CN (and alt names) different than the entered FQDN then it stops the navigation with that error message to prevent possible data theft.

AEK
    sean3
    sean3Author
    Explorer II
    January 23, 2025

    thanks AEK for your great help,

    so, what could be the possible solution for this?

    one interesting thing is that if I do nslookup www.google.com with my organization's DNS server, it will be resolved to www.google.com.int.mycompany.com. Who did this abnormal resolution?

    AEK
    SuperUser
    AEK
    SuperUser
    January 23, 2025

    Hi Sean

    The solution could be by signing the certificate with a trusted CA. I think about deep inspection. I don't see any other solution.

     

    Edit: After thinking twice, there should be no need for deep inspection, but you can do something on the server's certificate. Try to add alternate name *.google.com to the certificate that is installed on server www.google.com.int.mycompany.com. Since it is signed by your private CA it should be feasible.

    AEK
      Terms & ConditionsAccessibility statement