Hello guys,I'm working on a Forticlient EMS system.In the last year I noticed that some sites deny the user access.I explain myself: sometimes the cloudflare captcha denies (the image above is just an example from internet) the user access to the websites (ChatGpt is one of them).Now, the same is appening with the onesignal.com site:on the EMS I have a web filtering profile with deep inspection enabled:now, If I am not mistaken, the deep inspection makes forticlient decrypting and re-encrypting the traffic with its own certificate. I believe that this is causing the issue, but please correct me if I'm wrong.I also added the onesignal.com site to the exemption from the web filtering, but the issue is the same.Is anybody of you experiencing the sam issue? Any idea to solve it?Thank you for your support.

raffaeledp

Explorer III

Question

Is the Forticlient deep inspection a problem?

Forum|Forum|8 months ago
October 10, 2025
2 replies
705 views

Hello guys,

I'm working on a Forticlient EMS system.

In the last year I noticed that some sites deny the user access.

I explain myself:

sometimes the cloudflare captcha denies (the image above is just an example from internet) the user access to the websites (ChatGpt is one of them).

Now, the same is appening with the onesignal.com site:

Screenshot 2025-10-10 alle 15.00.00.png

on the EMS I have a web filtering profile with deep inspection enabled:

Screenshot 2025-10-10 alle 15.02.02.png

now, If I am not mistaken, the deep inspection makes forticlient decrypting and re-encrypting the traffic with its own certificate. I believe that this is causing the issue, but please correct me if I'm wrong.

I also added the onesignal.com site to the exemption from the web filtering, but the issue is the same.

Is anybody of you experiencing the sam issue? Any idea to solve it?

Thank you for your support.

funkylicious

SuperUser

check https://docs.fortinet.com/document/fortigate/7.0.0/new-features/989515/allow-deep-inspection-certificates-to-be-synchronized-to-ems-and-distributed-to-forticlient-7-0-1

"jack of all trades, master of none"

raffaeledpAuthor

Explorer III

Hello, thanks for your reply. I checked the guide steps, and I already have the Fortigate certificate installed on the EMS.

maybe I am missing the point. The clients are outside the Fortigate network, they're working from home, so Fortigate should not be involved in this situation, because the only system involved should be Forticlient. What am I missing?

sukaltu01

New Member

With so many and clear information I'm going to assume it is with cloud flare sites and then it likely is because of them changing ECH lately. try excluding cloudflare-ech.com from ssl inspection

raffaeledpAuthor

Explorer III

Hello, thanks for your reply. I could disable the deep inspection, but not for just one site. I could disable it for all the sites.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded