FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
zzarrouk
Staff
Staff

Description

This article describes how to make the FortiGate denies access to a website having a revoked certificate.
 
Useful links:
 
 - Fortinet Documentation here.


Solution

By keeping the default configuration, the FortiGate allows access to external resources possessing revoked certificate.


FortiGate does not perform a strict CRL check by default.

 
The following configuration will make the FortiGate perform a strict CRL check:
config vpn certificate setting
    set ocsp-status enable
    set ssl-ocsp-status enable
    set ssl-ocsp-option certificate
    set strict-crl-check enable
    set strict-ocsp-check enable
end
In order to test the configuration, access here.
Contributors