Skip to main content
rockden
rockden
Explorer III
December 7, 2024
Solved

Fortinet DPI

  • December 7, 2024
  • 2 replies
  • 2565 views

I have setup fortinet DPI but im getting untrusted cert error

Best answer by sjoshi

 

This can be changed only via CLI as below :

config firewall ssl-ssh-profile
edit <>
set untrusted-caname "Fortinet_CA_Untrusted" --> change to certificate that you wish to use for untrusted connections
end
end

Fortigate showing the "Server certificate is re-signed as untrusted, certificate-status: untrusted" in the logs as the CA that signed the server's cert is not in the trusted store of the Fortigate.

Now from the below url
https://www.ssllabs.com/ssltest/analyze.html?d=sigupdates.marshal.com&s=152.199.6.70#whyNotTrusted

You need to import the root CA "of the website/srv" you are accessing into the FortiGate trust store
FGT have certificate store and in that store we keep root CA certs. The Root CA of the website that you are visiting is not there in the store that's why you are getting that untrusted cert

2 replies

ebilcari
Staff
ebilcari
Staff
December 7, 2024

Due to the nature of DPI this is expected if the configuration is not completed. You can take a look at this article that goes into details explaining why this happens and how to complete the implementation.

Emirjon
    sjoshi
    Staff
    sjoshi
    Staff
    December 7, 2024

    Hi,

     

    Please check the SSL event and see what logs you are getting.

    Have you install the CA cert used for DPI on the end user machine. If possible share snapshot for better understanding

    Thanks, Salon
    rockden
    rockdenAuthor
    Explorer III
    December 7, 2024

    Yes have install the certificate on the end user.

    The error I'm getting on the SSL event logs  msg="Server certificate is re-signed as untrusted, certificate-status: untrusted.

    And it is happening when accessing some of the website and not all the website

    sjoshi
    Staff
    sjoshi
    Staff
    December 7, 2024

    --> By default, FGT checks the server certificate of the destination website. When FortiGate cannot successfully authenticate the server certificate (i.e. untrusted root CA, expired, self-signed certificate) it will present the CA certificate configured via set untrusted-caname in the SSL inspection profile (default CA certificate name: Fortinet_CA_Untrusted).

    Thanks, Salon
    Terms & ConditionsAccessibility statement