New Member

Question

HTTPS Deep Scanning and certificate errors

Forum|Forum|14 years ago
February 23, 2012
14 replies
18151 views

On my FG200B I am now running v4.0 MR3 Patch 5. I' ve been using HTTPS content inspection ever since v4.0 MR2 Patch 2 and we' ve always had intermittent problems with it. Most of the time it works fine, but intermittently we get a browser error warning the the certificate is not trusted; if we proceed anyway, things always work, but I am struggling to understand why this problem exists and why it is intermittent. I have exported the FGT' s main certificate named " Fortinet_Factory" and also the signing CA certificate named " Fortinet_CA" . These have been deployed to all PCs using a GPO. I' ve also tried adding the certificate named " Fortinet_CA_SSLProxy" to this list of certs rolled out via GPO (didn' t seem to make a difference). Can anyone explain to me, in hopefully simple terms: (1) why I am getting these errors with the HTTPS Deep Scanning; (2) why the problem seems to be intermittent; and (3) is there anything I can do to permanently fix it, or am I stuck with it I have a support ticket open at the moment on this, and Support have referred me to a document " UTM Guide version 4.3" pg194 ... which I have read several times now ... but I still do not understand why it is the case that the problem is intermittent.

Carl_Wallmark

New Member

Hi Stephen, Its only the " Fortinet_CA_SSLProxy" you need to push to your clients, and it should be installed in the " Trusted root" under " Computer" . When it works, you should be able to go to a HTTPS page, and verify the certificate, should say something like: Issued to: accounts.gmail.com issued by: FortiGate CA

FrostyAuthor

New Member

OK, I can confirm that the " Fortinet_CA_SSLProxy" cert is installed on my PC in the Trusted Root Certification Authorities store. Yet I was still getting occasional SSL trust errors in my browser. I opened a case with Fortinet and was advised that this issue is a " side effect" of the SSL Content Inspection (" Deep Scanning" ) function. So ... I turned off that option ... but ... Even with Deep Scanning turned off I am STILL getting occasional SSL trust-related errors. So I am starting to wonder whether this is a fault that is not due to the Fortigate at all, but might be caused by something else ... either the time on my PC vs the remote server is out of sync, or maybe the Fortigate' s date/time is not quite right, or something else. Mystified!

Kalpesh

New Member

Hi, Can Anyone tell me how to block web sites in fortigate 110 c ? also please send me if any documentation available for whole device configuration

himani_FTNT

Staff

Build: 4 MR3 patch 7 Also, Try enableing the " deep scan" in the firewall protocol potion under https. config https set port 443 set options allow-invalid-server-cert unset post-lang set deep-scan enable Upload the certificate Fortinet_CA to all the three browser IE, FFox and chrome.

FrostyAuthor

New Member

I have re-opened my SSL certificate errors issue with Fortinet Support. It still looks to me like every now and again the FG200B is throwing an invalid certificate at the browser. I have managed to screen cap these and now will wait to see what the Fortinet software engineers can tell me about them.

Matthijs

New Member

When you receive an error and continue you should be able to view the certificate and see what the exact error message is (for example certificate is valid but not for the requested domain or certificate has expired).

FrostyAuthor

New Member

The certificate the browser is given looks like this ... the identity is the ID of the FG200B and it is self-signed (so isn' t signed by the SSL Proxy cert in the FG200B). Because it is self-signed the browser will never accept it is valid, even if I import it into the Trusted Certification Authorities store.

Hf99870.jpg

FrostyAuthor

New Member

More news in what is rapidly becoming a saga. Found an extra location where HTTPS scanning might have been happening (in an Antivirus profile). Removed this. Didn' t fix the problem. On the advice of Fortinet Support we took a backup of the config, formatted the boot disk of the 200B, reflashed new firmware (MR3 Patch 5) and then reloaded our config. Problem is still not fixed. Did note that now when the error occurs the certificate prsented is different ... start/end date is not the same ... and the start date is the date we did the reload of the firmware. So the firewall generates its own internal certificate when installing firmware, and for some reason when browsing websites it occasionally presents this internal cert to the browser instead of the cert from the website in question.

Om34281.jpg

Carl_Wallmark

New Member

I think you got the wrong cert, the SSL_Proxy cert is the same on all Fortigates, its not unique. The details should be: Certificate Name Fortinet_CA_SSLProxy Issuer C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FortiGate CA, emailAddress = support@fortinet.com Subject C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FortiGate CA, emailAddress = support@fortinet.com Valid From 2008-10-18 00:46:39 GMT Valid To 2028-10-13 00:46:39 GMT Version 3 Serial Number 00 Extension Name: X509v3 Basic Constraints Critical: no Content: CA:TRUE

izatt82

New Member

just a question are the site you are going to doing mutual auth? figured i would ask we had problems with deep packet inspection of ssl because it has to do a MITM which breaks when using mutual auth.

Fortinet_SV

New Member

Thank you

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded