Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
athirat
Staff
Staff

Created on ‎07-28-2022 11:33 AM Edited on ‎10-07-2025 03:11 AM By Moderator

Article Id 218813

Technical Tip: How FortiGate handles 'Untrusted SSL certificate' option under SSL inspection profile

Description

 

This article describes the options available to handle Untrusted SSL certificate on FortiGate Deep SSL-inspection profile

 

Scope

 

FortiGate.

 

Solution

 

When the certificate verification issue appears, it will display the following logs in the event logs for SSL events, and the event type 'ssl-anomaly' will appear in the corresponding field with log ID 1700062302

 

date=2023-05-02 time=16:08:01 eventtime=1683061680985416370 tz="-0500" logid="1700062302" type="utm" subtype="ssl" eventtype="ssl-anomaly" level="notice" vd="root" action="resign-as-untrusted" policyid=20 poluuid="da23f9f0-7c2e-51ed-ec49-277a332ec2af" policytype="policy" sessionid=16436357 service="SSL" profile="custom-deep-inspection" srcip=10.195.161.20 srcport=54710 srccountry="Reserved" dstip=152.99.166.196 dstport=443 dstcountry="United States" srcintf="Interface-1" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" srcuuid="307fa87e-71a6-51ec-9530-eef5256c29ef" dstuuid="9a4bc3b8-2b89-51ec-d015-7b3b2366ae1a" proto=17 tlsver="tls1.3" sni="outlook.office.com" cipher="0x1302" authalgo="rsa" kxproto="ecdhe" eventsubtype="certificate-anomaly" msg="Server certificate is re-signed as untrusted, certificate-status: untrusted " hostname="outlook.office.com"

When FortiGate cannot successfully verify the server certificate (For example, an untrusted root CA, an expired, or a self-signed certificate), the following options are available on FortiGate to handle this situation under the 'ssl-ssh-profile' profile:

 

config firewall ssl-ssh-profile
    edit "custom-deep-inspection"

        config https

            set untrusted-server-cert (allow/ignore/block)

        end
end

 

  1. Allow: When FortiGate detects an Untrusted SSL certificate in the Server Hello, it generates a temporary certificate signed by the built-in 'Fortinet_CA_Untrusted' certificate. This temporary certificate is then sent to the client's browser, which results in a warning to the user that the site is untrusted.

 

The certificate used can be changed only via CLI as below:

 

config firewall ssl-ssh-profile
    edit "custom-deep-inspection"

        set caname "Fortinet_CA_SSL" <----- Used when FortiGate can verify the server certificate.
        set untrusted-caname "Fortinet_CA_Untrusted" <----- Change the certificate to one that should be used for untrusted connections.
    end
end

 

  1. Ignore: No change in behavior as compared to a Trusted SSL certificate.FortiGate will use the default name 'Fortinet_CA_SSL' to create the temporary certificate.

  2. Block: FortiGate blocks the connection if the server certificate can not be verified.
Labels:
22473
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.