FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
athirat
Staff
Staff

Description

 

This article describes the options available to handle Untrusted SSL certificate on FortiGate.

 

Scope

 

All FortiOS versions.

 

Solution

 

 When FortiGate cannot successfully verify the server certificate (For example: untrusted root CA, expired, self-signed certificate), below options are available on FortiGate to handle this situation:

 

1) Allow -> When FortiGate detects an Untrusted SSL certificate in the Server Hello, it generates a temporary certificate signed by the built-in 'Fortinet_CA_Untrusted' certificate.

This temporary certificate is then sent to the client browser which results in the warning to the user that the site is untrusted.

 

The certificate used can be changed only via CLI as below:

 

# config firewall ssl-ssh-profile
    edit <>

      set caname "Fortinet_CA_SSL"  --> Used when FortiGate can verify the server certificate.
      set untrusted-caname "Fortinet_CA_Untrusted" --> change the certificate to one that should be used for untrusted connections.
    end
  end

 

2) Ignore -> No change in behavior as compared to a Trusted SSL certificate.

FortiGate will use the default caname 'Fortinet_CA_SSL' to create the temporary certificate.

 

3) Block -> FortiGate blocks the connection if the server certificate can not be verified.

Contributors