FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpalli
Staff
Staff
Description
Web sites and resources which use the AddTrust External CA are blocked by the FortiGate when SSL inspection is enabled.
Symptoms started or occur after May 30th, 2020 when the CA certificates expired.
Note that this issue is not specific to any one vendor; rather it is an expected consequence of a root CA expiring.


Sample certificate error (other variations are presented):



Solution
Requirements.

- Deep SSL inspection or certificate inspection is enabled
- Web, email, AV, and/or DLP profile(s) with proxy inspection enabled, and applied to a firewall policy

Requirements.

- Deep SSL inspection or certificate inspection is enabled
- Web, email, AV, and/or DLP profile(s) with proxy inspection enabled, and applied to a firewall policy

Cause.


- The AddTrust External CA and the CA's that were cross-signed by AddTrust External Root CA expired on May 30th, 2020
- Some web servers that are using certificates signed by these CA's are still including the expired CA's as part of certification chain supplied to the client
- The FortiGate rejects the connection as trust chain is invalid; CA's are found to be expired and displays block page (configuration-dependent)


Workaround options.

Always make a full configuration backup before making any configuration change. A maintenance window or isolating changes to a test workstation is recommend

Workaround 1.
Change the affected firewall policy to flow-based.


- A good option if your configuration has limited firewall policies with web filtering and certificate inspection. Note: deep inspection with flow-based inspection may still encounter the problem.
- Navigate to Policy & Objects -> IPv4 Policy:





Edit the firewall policy in question. For the 'Inspection Mode' Select Flow-based and select 'OK'.




Repeat for remaining affected firewall policies.

Users can test by opening a new browser tab and trying to visit the site in question.

Workaround 2.
Exempt sites that are still affected from SSL decryption by using a bypass firewall policy.

Create a 'bypass' policy above existing firewall policies so that it takes effect first. Restrict the destinations to the problematic websites as FQDN objects.
Periodically check the web sites and remove from the bypass policy as the certificate chains are updated over time.
A good option if only a few sites the users access are impacted.

Workaround 3.
Allow invalid certificates in the SSL/SSH inspection profile in use.

Disclaimer:
By applying this workaround, you are agreeing to allow end users connect to those webservers which are providing invalid/expired certificates. In some cases, the end user HTTPS session may get compromised when connecting to such websites. HTTPS connections matching the firewall policy with this SSL/SSH inspection profile will not be blocked when FortiGate sees invalid/expired certificates in the TLS Server hello coming from the webserver. End users are expected to see certificate warnings reported by the browser and must accept the risk to proceed connecting to the website which is providing the expired certificate.

A good approach if you have many firewall policies with web filtering and deep inspection

Navigate to Security Profiles -> SSL/SSH Inspection and edit the profile being used on the problematic firewall policies (‘Ref’ column will be a 1 or higher indicating it is referenced).

Scroll to the bottom and ensure 'Allow invalid SSL certificates' is toggled on. It is not enabled by default.





Select 'OK'.

Users can test by opening a new browser tab and trying to visit the site in question.

Note.

FortiOS 6.0.x, 6.2.x, and 6.4.x should automatically retrieve an updated certificate bundle through FortiGuard. This will alleviate some corner cases, however the majority of cases will be resolved by the website administrators correcting their invalid certificate chains.  
To check if the new certificate bundle is present,  run 'get system auto-update versions', and check the 'Certificate Bundle' version line.
If the new bundle has been installed It has to be version 1.00017 or above.
# get system auto-update versions
...
Certificate Bundle
---------
Version: 1.00017
Contract Expiry Date: n/a
Last Updated using scheduled update on Wed Jun  3 12:05:10 2020
Last Update Attempt: Wed Jun  3 14:04:36 2020
Result: No Updates
If the bundle is not 1.00017+ then run ‘execute update-now’ and check the bundle version again after 20 minutes.

If the bundle still not be updated contact Fortinet Support for further assistance.
Additional reading (Links to external websites):


Contributors