SSL-Inspection does not excepmt DDNS FQDN FortiOS 7.4.9

Forum|Forum|8 months ago
October 9, 2025
1 reply
686 views

Hello everyone,

I tried to exempt an DDNS FQDN, but it still gets blocked by the FortiGate.

SSL-Log:
SSL connection is blocked, certificate-status: expired untrusted

I tried with an Address FQDN object and also via this method https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-Exemption-based-on-FQDN-in-Proxy-based/ta-p/387569 .

The connection to the FQDN still gets blocked. I also have to add we are using a different HTTPS port to reach the address (3438) and yes the remote certificate is expired since it came with the device.

FortiGate

Best answer by Atul_S

Hi,

Fortigate will enforce the cert validation prior to SSL exemption. Pls consider disable the cert inspection. Also create the custom port for https as below:

config firewall ssl-ssh-profile

edit <name>

set ports 443 3438

See if this works.

Thanks,

Atul_SAnswer

Staff & Editor

Hi,

Fortigate will enforce the cert validation prior to SSL exemption. Pls consider disable the cert inspection. Also create the custom port for https as below:

config firewall ssl-ssh-profile

edit <name>

set ports 443 3438

See if this works.

Thanks,

MG4Author

Explorer III

Hello,

why does it work, if we add the current IPv4-Address of the DDNS FQDN to the exempts? Why does it not work for FQDNs?

The FortiGate can resolve the IP of the FQDN, but the exempt does not work with only the FQDN as an exempt. It only works when we look the address up ourselves and adding it manually.

Turning off cert inspection would fix the problem, but that would also lower the security to other websites.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded