FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pkrejzlik
Staff
Staff

Description

This article explains how to avoid 'invalid certificate' messages when using NTLM authentication on the FortiGate.


Scope

FortiOS all versions.


Solution

Symptoms:
  • A user receives 'invalid certificate' warning messages when trying to access websites using SSL.
  • Deep Scanning for HTTPS is not enabled on the FortiGate.
  • The symptoms persist even after changing the port for HTTPS in the FortiOS protocol options so that the traffic does not apply to traffic on port 443.

Configuration:
config firewall policy
    edit 4
        set srcintf "port13"
        set dstintf "port14"
            set srcaddr "DHCP INTERNAL"
            set dstaddr "all"
        set action accept
        set ntlm enable
        set fsso enable
        set identity-based enable
            config identity-based-policy
                edit 3
                    set schedule "always"
                    set logtraffic enable
                    set utm-status enable
                        set groups "Internet Access Denied"
                        set service "HTTP" "HTTPS"
                    set webfilter-profile "BlockAll_WebFilter"
                    set profile-protocol-options "Global_Protocol"
                next
                edit 1
                    set schedule "always"
                    set logtraffic enable
                    set utm-status enable
                        set groups "Internet Social Allowed"
                        set service "ANY"
                    set av-profile "Global_AV"
                    set webfilter-profile "Social"
                    set ips-sensor "all_default_pass"
                    set application-list "Standard_Apps"
                    set application-charts top10-app top10-p2p-user top10-media-user
                    set profile-protocol-options "Global_Protocol"
                next
                edit 2
                    set schedule "always"
                    set logtraffic enable
                    set utm-status enable
                        set groups "Domain Users"
                        set service "ANY"
                    set av-profile "Global_AV"
                    set webfilter-profile "NoSocial"
                    set ips-sensor "all_default_pass"
                    set application-list "Standard_Apps"
                    set application-charts top10-app top10-p2p-user top10-media-user
                    set profile-protocol-options "Global_Protocol"
                next
            end

Solution prior to FortiOS 5.2:
config firewall profile-protocol-options
    edit "Global_Protocol"
        set ssl-invalid-server-cert-log enable
            config http
                set port 80
                set options clientcomfort
                set comfort-interval 1
                set comfort-amount 2048
                unset post-lang
                set oversize-limit 2
            end
            config https
                set port 442
                set options allow-invalid-server-cert
                unset post-lang
                set oversize-limit 1
            end


Solution for to FortiOS 5.2:

config user setting
    set auth-ca-cert ca_certificate_name
    end
Solution

The symptoms are the expected behaviour from FortiOS when NTLM is used with HTTPS.

Whilst the username details exchanges are transparent to the user, the mechanics of the FortiGate intercepts these details within the SSL stream. This in turn generates the 'invalid certificate' error message.

Even modifying the configuration to use HTTPS deep inspection will not change the behaviour as authentication and deep inspection are two separate processes on the FortiGate, with authentication coming first.

In order to avoid certificate errors and use HTTPS while authenticating, then FSSO MUST be used.

In FortiOS 5.2 it is possible to configure CA used to re-sign SSL certificates, which are inserted into SSL connection in order to intercept session and insert redirection to NTLM authentication request. Using CA certificate trusted by users is required in order to avoid invalid certificate messages.

For configuration information refer to the Authentication section of the FortiOS Handbook which is available in the Fortinet Document Library.



 

 

Contributors