Skip to main content
jarbasd
jarbasd
New Member
July 10, 2025
Question

Understanding SSL inspection handling in Fortigate

  • July 10, 2025
  • 1 reply
  • 1515 views

Hello,

I have the following question regarding the SSL inspection process performed by Fortigate, specifically the options below:

imagem_2025-07-09_205121346.png

I'm trying to understand the order in which these options are analyzed. I understand that a verification flow must be followed, and my current understanding is as follows:

 

My Logic:

It all starts with cert-probe-failure.

cert-probe-failure = Couldn't get the certificate, so it stops here and takes a block or allow action. If successful, continue >>

cert-validation = Opens the certificate and checks CA, revocation, expiration, and SNI.

According to the information obtained from cert-validation, it will perform the actions set below:

sni-server-cert-check = enable (I understand this check already occurs in cert-validation)


revoked = allow or drop


expired = allow or drop


untrusted = allow or drop


I'm a little confused about these checks. I read in the documentation that cert-probe-failure already

performs validations that other options do, such as untrusted certificate and expired certificate.

Is there any documentation explaining this flow?


Thanks for any help!

1 reply

jiahoong112
Staff
jiahoong112
Staff
July 10, 2025

relevant document: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-allow-HTTPS-port-443-traffic-when/ta-p/200844 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-fix-SSL-connection-is-blocked-due-to/ta-p/362052 

cert-probe is fortigate pre-probing the destination before allowing the connection between client and server to establish. When this fails, the connection is blocked - this is the default setting. This is the case for versions 7.0, 7.2 and 7.4. From 7.6 onwards, the default action for cert-probe failure is Allow. 

Terms & ConditionsAccessibility statement