Skip to main content
noc
noc
Explorer
June 4, 2025
Question

Unable to inspect certain websites using Deep Inspection

  • June 4, 2025
  • 2 replies
  • 1261 views

Hello,

 

I'm trying to deploy DPI on a Fortigate80F v7.0.17.

 

Right now everything works as expected but one thing, the "Trusted CA List".

I'm unable to inspect anything that has a certificate from there and i haven't found a way to ignore the list, so, if i want to inspect packets from YouTube, i'm not able to do so because it has a Google Certificate.

 

I have QUIC blocked from application control and from firewall policies, i haven't found anything that is not related to quic, but it seems like is not the issue i'm facing.

 

Has anyone had this problem? Thanks

 

2 replies

abarushka
Staff
abarushka
Staff
June 4, 2025

Hello,

 

I would expect different behavior. In case certificate is not signed by any CA in the "Trusted CA List" certificate error will be returned in case of deep inspection.

 

I would recommend to check "Exempt from SSL Inspection" section (i.e. "Reputable websites" setting).

    noc
    nocAuthor
    Explorer
    June 4, 2025

    Hello,

    Checking that box leads to the same issue, Fortigate won't inspect websites that use certificates from the Trusted CA List.

     

    For example, when i visit a random website, the certificate it shows it's my Fortigate's CA, so the dpi works there. But when i access YouTube(for example, there's a lot of webs that do this), it shows a certificate from Google, so DPI is not being applying there.

     

    Is there no way to have my Fortigate apply its CA certificate to websites that have a trusted certificate?

    Yurisk
    SuperUser
    Yurisk
    SuperUser
    June 4, 2025

    That is their reason d'etre - to except traffic to known good/trusted websites from SSL Inspection, but you can remove those websites from the list inside your SSL Inspection profile, e.g.

      noc
      nocAuthor
      Explorer
      June 11, 2025

      Sorry for my late answer, i hadn't been able to check this.

       

      I have removed everything there, and now it inspects some websites it wasn’t inspecting before. But even now, I can still access sites like Amazon, YouTube, etc., as if packet inspection wasn’t enabled (the certificate is still theirs, not from FortiGate).

      Terms & ConditionsAccessibility statement