SSL Inspection policy failing to use new certificate

Forum|Forum|8 years ago
November 16, 2017
1 reply
37697 views

Fortigate 60D v5.2.11

We've had cause to re-issue the certificate that we use for deep inspection on outbound traffic (moving from SHA-1 to SHA-256). This certificate has been installed as trusted on all affected internal clients.

To try and ensure a smooth transition, I've installed the new certificate and set it for use in a cloned copy of the outbound deep inspection SSL inspection policy, leaving the original SHA-1 certificate used by the original outbound inspection policy.

I've switched one of the firewall rules for traffic to use the new SSL inspection policy with the SHA-256 certificate.

That was 50 minutes ago, however the fortigate is still utilising the original SHA-15 certificate for inspection (as checking any inspected HTTPS website certificate chain confirms). This behaviour is replicated across multiple clients and browsers (IE11, Chrome, Firefox).

I'm assuming that the Fortigate has cached the old certificate.

Rebooting the firewall is not an option.

How do I 'encourage' the firewall to respect this configuration change and begin using the new SHA-256 certificate to inspect outbound traffic? Is there a process I can restart without interfering with other functionality / traffic?