Explorer II

Solved

Fortigate is giving its own certificate when using certificate-inspection

Forum|Forum|4 years ago
March 21, 2022
5 replies
6198 views

Hello team!!

I have the following issue with a fortigate 60F (firmware 6.4.4)

We have all the rules from LAN to WAN, with "Certificate-inspection", no one with "Full-inspection", and the "Certificate-inspection" profile is the default one.

Sometimes, clients are having problems browsing in the internet, because Fortigate is giving to user its own certificate and it is not trusted in clients

I know a possible solution is to install the fortigate certificate in clients but I prefer to know why is happening this

Do you know why fortigate could give its own certificate to clients even using default "Certificate-inspection" profile?

Thanks in advance.

Regards,

Damián

FortiGate

Best answer by damianhlozano

Finally changed the protocol and port for fortiguard connections and worked

config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set sdns-server-ip 208.91.112.220
end

Thanks!

anikolov

Staff

Hello Damian,

I believe we have the answer for your question in the KB article below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Certificate-error-when-accessing-blocked-page/ta-p/191051

Please let me know if you need further explanation.

Regards,

Debbie_FTNT

Staff & Editor

Hey Damián,

to clarify Aleksandar's update:

- the Fortigate may be blocking the connection for some reason

- if the FortiGate blocks something, it displays a replacement message it hosts itself

-> this replacement message will use the FortiGate's own certificate

- this is entirely independent of deep-inspection or certificate-inspection happening

damianhlozanoAuthor

Explorer II

Thank you both for your answers, but Fortigate is not blocking anything

The issue happens with any page but the same page with the issue sometimes is working fine

For example, today tried to access login.microsoft.com and did not work, after 5 minutes without change anything in the fortigate, it started to work.

Someone told me that the issue is not happening in Edge, only in Chrome

Any idea?

Regards,

Damián

damianhlozanoAuthor

Explorer II

I just see that Fortigate is blocking QUIC with application control, but the category where this belong, was configured as monitor, I just change this to allow

Why can this block an application with action "Monitor"?

Regards,

Damián

damianhlozanoAuthor

Explorer II

Change this to "Allow" does not solve the issue

QUIC still being blocked by application control

Any idea?

Regards

Damián

damianhlozanoAuthor

Explorer II

I just see another error

In web filter logs: "all Fortiguard servers failed to respond"

I think maybe this is the issue

I will continue with the ticket in support.fortinet.com

Thanks

Damián

Debbie_FTNT

Staff & Editor

Hey Damián,

if your FortiGate can't reach FortiGuard, then it is likely that your webfiltering is blocking everything.

-> webfilter relies on reaching FortiGuard servers for category information (there is a cache on FortiGate, but it doesn't hold that much information)

-> you probably have 'Allow websites when rating error occurs' disabled:

If that ssetting is turned off, then FortiGate will block the connection, and (try to) present a block page, using its own certificate

damianhlozanoAuthor

Explorer II

Yes, this is the problem, occurs with every site but not allways, sometimes

I know about this option (Allow website when a rating error ocurred) and I enabled it some minutes ago.

I need to troubleshoot fortiguard connectivity issues but I will continue with fortigate support

Thanks

damianhlozanoAuthorAnswer

Explorer II

Finally changed the protocol and port for fortiguard connections and worked

config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set sdns-server-ip 208.91.112.220
end

Thanks!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded