Skip to main content
McEathron
McEathron
New Member
August 20, 2018
Question

Prevent Certificate Warnings without SSL Deep Inspection (Certificate Inspection only)

  • August 20, 2018
  • 1 reply
  • 14197 views

I found a great Cookbook article on preventing Certificate Warnings with SSL Deep inspection enabled. It didn't make mention of how to do this without SSL Deep Inspection enabled.

 

Wondering if it's even possible with L2 firewalls, given that the only IP to associate with a cert is the management IP.

1 reply

sw2090
SuperUser
sw2090
SuperUser
August 21, 2018

You get those certificate warnings because SSL Deep inspection is man in the middle. This means the connection from yur FGT on to your client will be encrypted with a certficate on the FGT and only the other half is encryted with the original certificate. By default there is only some self signed cert installed on the FGT.

So you either have tp install the Fortinet CAs on your client to enable them to validate the default cert or install a new one that has a CA already known by the browsers. Keep in mind this requires a Certificate that is able to create Certificates (CA) because of man in the middle.

 

What do you mean without SSL Deep Inspection? The certificate used if you access your FGT via htts? Same issue as above. Install Fortigate CAs or own valid certificate for https. 

McEathron
McEathronAuthor
New Member
August 21, 2018

Thank you for jumping in the water so quick, sw! I appreciate the immediate feedback.

 

To answer your question, what I mean about "without SSL Deep Inspection" is when you go to Policy & Objects>Security Profiles>SSL/SSH Inspection>Inspection Method and do not choose "Full SSL Inspection", but instead use "SSL Certificate Inspection".

 

I probably should use the term "Full Inspection" instead of "Deep Inspection", even if so much of the documentation has "Deep" used in it. My apologies for the confusion. Thank you for asking for clarification.

 

This, in conjunction with Flow Based Web Filtering enabled.

McEathron
McEathronAuthor
New Member
August 21, 2018

Basically, The preliminary observation we have is that a component of an application is reaching out to a “doubleclick.net” related domain that is being blocked due to advertising. The block itself is not causing an issue that we know of, it is the security settings in the IE based built-in browser in the application that is throwing up errors caused by the self-signed certificate of the WFC not having a valid CRL URL.

 

We get a Security Alert pop-up that says "Revocation information for the security certificate for this site is not available. Do you want to proceed?"

 

With just SSL Certificate Inspection and Flow Based Web Filetering enabled, we're not sure how best to address this.

 

Terms & ConditionsAccessibility statement