Web Filter in proxy mode gives certificate errors for SSL DPI

Hi everyone,

I've run into a peculiar issue in my lab today (FG-VM 5.2.4) that's had me stumped. Hoping someone can shed light on this! The problem is around the SSL deep packet inspection and web filter profile. For some reason, whenever I change the web filter's profile to 'proxy' mode, all websites I browse give me certificate errors (this never used to happen before). I've tried this on the main browsers and each give me cert errors: Firefox: mozilla_pkix_error_inadequate_key_size Chrome: NET::ERR_CERT_WEAK_KEY IE: Doesn't give a specific errors First I tried the default Fortinet_CA_SSLProxy certificate (importing it in root authorities for Firefox and IE/Chrome). After this I recreated the Fortinet_CA_SSLProxy certificate with the following command: exec vpn certificate local generate default-ssl-ca This new cert still gives the same errors. Next I used a FortiAuthenticator to be the Root CA and generated a CSR from the FortiGate (tried both RSA/2048 and Elliptic secp521r1). After signing and re-importing this back into the FortiGate to be used as the SSL proxy cert I still get the same error (also imported the FAUTH CA as a trusted root authority on all browsers). If I change the web filter profile to 'flow' mode I'm able to browse websites normally with SSL DPI occurring and there are no certificate warnings.

Does anyone have ideas on what else I could do to troubleshoot this?