Skip to main content
ChrisRX
ChrisRX
New Member
April 25, 2017
Question

Firmware 5.6 Fortigate 70D - Broken Named Address Objects and Forced SSL Inspection.

  • April 25, 2017
  • 1 reply
  • 11687 views

Hi,

 

I'm wondering if anyone else has upgraded their Fortigate 70D FWs to 5.6 yet? Did it go well? I did a couple of days ago, and well. Named Address Objects seemed to have stopped working randomly(Also on one of my 60D WIFi) on an already well working and well established IPSec tunnels, hat according to support I had to revert back to static subnets in each Phase 2 selector group instead of named groups of addresses. Now, for some unknown reason, every policy on the 70D now has a forced SSL Cert inspection that is raising havoc at this remote site's and their HTTPS certs. I cannot remove this feature from any on my policies. I'm going to have to call support again, however I wanted to post this here to see if anyone else has had any of these issues yet. Will try and post back what support says. I've attached a quick screen shot of the message I get after DE-Selecting the SSL inspection object then applying ok. Strange. I have a third site with a 70D that I've also upgraded to firmware to 5.6 that's not having any of these concerns.

 

Any thoughts?

1 reply

hmtay_FTNT
Staff
hmtay_FTNT
Staff
April 27, 2017

Hi Chris,

 

>>Now, for some unknown reason, every policy on the 70D now has a forced SSL Cert inspection that is raising havoc at this remote site's and their HTTPS certs.

 

In your image you upload, what the Fortigate is forcing you to do is to either select at least the default "certificate-inspection" or "deep-inspection" profile. If you do not want the Fortigate to intercept and modify the SSL session, you can select "certificate-inspection". This only scans the SNI and hostname on the Client Hello or Certificate packets.

 

If you do not enable at least "certificate-inspection", the Fortigate will not scan the SSL sessions and profiles like Web Filter or Application Control will not work correctly.

 

HoMing

EMES
EMES
New Member
May 2, 2017

hmtay wrote:

Hi Chris,

 

>>Now, for some unknown reason, every policy on the 70D now has a forced SSL Cert inspection that is raising havoc at this remote site's and their HTTPS certs.

 

In your image you upload, what the Fortigate is forcing you to do is to either select at least the default "certificate-inspection" or "deep-inspection" profile. If you do not want the Fortigate to intercept and modify the SSL session, you can select "certificate-inspection". This only scans the SNI and hostname on the Client Hello or Certificate packets.

 

If you do not enable at least "certificate-inspection", the Fortigate will not scan the SSL sessions and profiles like Web Filter or Application Control will not work correctly.

 

HoMing

 

Does 5.6 force some type of certificate inspection then? Looking at a VM for testing thats what it seems unless its in the CLI.

hmtay_FTNT
Staff
hmtay_FTNT
Staff
May 2, 2017

>>Does 5.6 force some type of certificate inspection then? Looking at a VM for testing thats what it seems unless its in the CLI.

 

Yes. FortiOS 5.6 will automatically enable the most basic certificate-inspection if any module that requires scanning the SSL sessions are enabled like Application Control or Web Filter.

Terms & ConditionsAccessibility statement