Skip to main content
dclabs
dclabs
Visitor III
March 25, 2022
Question

SSL Deep Inspection not working with Chrome and Edge browsers

  • March 25, 2022
  • 9 replies
  • 27570 views

Hi All,

 

I've configured a policy with SSL Deep Inspection for my company and installed the Fortigate CA certificate on our devices in order to now be shown the certificate warning. However (on both mac and windows devices) when using Firefox it does seem to work correctly and the certificate shown by the browser is the Fortigate's, though when using either Chrome or Edge the certificates shown in the browser are the original webserver certificates, just as if the deep inspection policy didn't exist at all.

 

What am I missing?

 

 

9 replies

sharmaj
Staff
sharmaj
Staff
March 25, 2022

Hi

You need to check what is the TLS version used in Chrome or Edge.

Since Firefox has its own settings and they might be configured in tandem with the firewall's security TLS version thus you are not seeing the error.

Try to manipulate the TLS versions of browsers to what you have under fortigate settings.

config system global
    set admin-https-ssl-versions

 

    dclabs
    dclabsAuthor
    Visitor III
    March 25, 2022

    I've enabled 'Enforce SSL cipher compliance' and 'Enforce SSL negotiation compliance' on the FG security profile and now it seems to work properly on MAC OS devices, both Firefox and Chrome show websites certificates as issued by Fortinet. Though the situation on Windows devices remains unchanged: Firefox works as expected, while Chrome and Edge do not show any warning but the certificates are issued by the original CA (Google, GlobalSign, etc.).

    sharmaj
    Staff
    sharmaj
    Staff
    March 25, 2022

    Hi

    I believe this entirely depends on the webserver, in general:

    If you see Fortinet as issuer, that means FortiGate is re-signing the certificate and acts as a man-in-the-middle.

    The FortiGate receives the Original Server Certificate from the server, and will then sign it with its CA Certificate (Fortinet_CA or another). The Issuer of the Signed Server Certificate will be changed at this time. Finally, the client will receive the Signed Server Certificate from FortiGate.

    dclabs
    dclabsAuthor
    Visitor III
    March 25, 2022

    yeah, that's clear. Though my expectation was to see the Fortigate act as a man-in-the-middle and resign the certificate for every single session, since deep inspection is enable. Am I wrong?

    BryanV93
    BryanV93
    New Member
    August 13, 2023

    In case you never solved this. Web filtering needs to be enabled on the policy for it to work. I was just dealing with this same issue where the sites were signed by the original CA but when I enabled Web Filtering on the policy on the fortigate now all sites show signed by my fortigate. Hope this helps other people who search for solutions on this problem.

    asengar
    Staff
    asengar
    Staff
    August 13, 2023

    Hi @dclabs 

     

    Thanks for posting your query

     

    Can you confirm if the policy is in proxy based or flow based. Also post installing the certificate in the local machine is it reflecting in the OS level or have you imported the certificate on the browser level .

     

    Internet Explorer, Chrome, and Safari use the operating system’s certificate store for Internet browsing. If users will be using these browsers, you must install the certificate into the certificate store for the OS.

     

    If you are using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard

    Use the wizard to install the certificate into the Trusted Root Certification Authorities store. If a security warning appears, select Yes to install the certificate.

     

    If you are using macOS, double-click the certificate file to launch Keychain Access

    Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.

     

    Firefox(windows and MAC)

    Firefox has its own certificate store. To avoid errors in Firefox, you must install the certificate in this store, instead of the OS.

    If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device.

    In Firefox, go to Tools > Options > Advanced or Options > Advanced and select the Certificates tab

    Select View Certificates, select the Authorities list. Import the certificate and set it to be trusted for website identification.

     

     

     

      ede_pfau
      SuperUser
      ede_pfau
      SuperUser
      August 13, 2023

      @asengar

      Quite true in the past, but things have changed.

      As of FF 49, you can configure FF to trust the Windows cert store. This way, you can centrally manage your clients even if they are using FF.

       

      How to make FireFox trust the Windows cert store:

      Type "about:config" into the address bar.

      type "security.enterprise_roots.enabled" to search for the entry. If not present, create a Boolean entry with this name.

      Set the value to "true".

       

      Reference: for example, Cisco Umbrella 

      alshinnaq
      alshinnaq
      New Member
      August 13, 2023

      Hi,

       

      Please make sure that QUIC protocol is blocked.

       

      for more details, please find attached below link.

       

      Technical Tip: Block QUIC Protocol - Fortinet Community

      Bjay_Prakash_Ghising
      Bjay_Prakash_Ghising
      Explorer II
      August 13, 2023

      Hi dclabs, 

       

      In order for a deep inspection to work, you need at least one security profile configured to the policy. 

       

      Make sure, you have a security profile attached to the policy that the traffic traverses.

       

      Hope that helps, 

       

      Kind Regards, 

      Bijay Prakash Ghising

      San_SP
      San_SP
      New Member
      November 30, 2024

      Disable 'Use ML-KEM in TLS 1.3' flag on chrome. 

       

      follow the below KB article.

      https://community.fortinet.com/t5/FortiGate/Technical-Tip-Web-filter-is-not-blocking-websites-on-Google/ta-p/297956

       

      this should fix the issues on chrome and edge.

       

       

      Disable TLS 1.3 hybridized Kyber support on the Google Browser and/or Microsoft Edge:
      For Google Browser: Navigate to chrome://flags/.
      Search for TLS 1.3 hybridized Kyber support.
      Set the action to Disable.

      sw2090
      SuperUser
      sw2090
      SuperUser
      December 2, 2024

      @San_SP: at least in FOS 7.2.x this issue is fixed via OTA Update of IPS Engine. Anyways this issue doesn't give you certificate errors but ssl protocol errors. So I don't think it is this issue.

      Terms & ConditionsAccessibility statement