Skip to main content
Jack_T
Jack_T
New Member
September 15, 2016
Solved

SSL Inspection problem

  • September 15, 2016
  • 2 replies
  • 67815 views

Hi all,

I have a Fortigate 90D with Web filter and SSL Inspection enabled.

 

I can't reach https://www.giustizia.it: with Chrome I receive "ERR_CONNECTION_CLOSED", with Firefox instead "Cannot create secure connection".

 

If I turn off SSL Inspection I can navigate to the site; I have tried to add an exception in web filter's rules (wildcard, simple, exempt, allow...) but with no luck.

 

How I can solve this issue?

Thanks in advance

Best answer by CA_sar_Romero

Jack_T wrote:

Hi, I have not exempts under SSL inspections options, maybe I have an old version of fortiOS? Thanks! :)

 

Exactly, this is available since FortiOS 5.2.

 

2 replies

emnoc
emnoc
New Member
September 15, 2016

This is a  ssl issues and web filter rule is not going to make a difference

 

"Cannot create secure connection"

 

 

Qs:  Do you have the  certificate from  the ssl-proxy accepted in the client?

 

Q: Does a MSIE or Safari browser  exhibits the same issue?

 

Q:what fortiOS version 

 

 

 

You can't just enable    SSL inspection without  understanding what's happening.

CA_sar_Romero
CA_sar_Romero
New Member
September 16, 2016

My friend,

 

That's a common problem with new versions of browsers, they already have installed certificates from some sites, making inaccessible the portal with no option to just skip the security alert.

 

The possible options in this case are replacing SSL Proxy certificate with one that will satisfy the security requirements of the application, or creating exempts for SSL Inspections on Policy & Objects > SSL Inspection.

 

Regards.

Jack_T
Jack_TAuthor
New Member
September 16, 2016

César Romero wrote:

My friend,

 

That's a common problem with new versions of browsers, they already have installed certificates from some sites, making inaccessible the portal with no option to just skip the security alert.

 

The possible options in this case are replacing SSL Proxy certificate with one that will satisfy the security requirements of the application, or creating exempts for SSL Inspections on Policy & Objects > SSL Inspection.

 

Regards.

Hi, I have not exempts under SSL inspections options, maybe I have an old version of fortiOS? Thanks! :)

payers
payers
New Member
October 7, 2016

i have the same problem, with others web

pmi.org, for example. 

 

with skype too. gotomeeting, webex....

 

regards

creo
creo
New Member
October 7, 2016

There will be always issue with DEEP inspection. MiTM expect you have cert.

We try to implement this many time. Each time we have to fallback. 

Nowadays software use own certificate. Pinned exactly to software and don't relay on PC local certificates.

 

What does it mean for Full deep inspection? You have to exclude this traffic from inspection. That what exactly Fortinet do. They add "skype" to exception. 

 

But what is wrong with that? When new servers arrive, Skype servers (for example) you need to add it to exception manually or wait Fortinet to add them to one of category which is exception in your Deep inspection rules.

Terms & ConditionsAccessibility statement