FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the options available to handle Untrusted SSL certificate on FortiGate.
All FortiOS versions.
When FortiGate cannot successfully verify the server certificate (For example: untrusted root CA, expired, self-signed certificate), below options are available on FortiGate to handle this situation:
1) Allow -> When FortiGate detects an Untrusted SSL certificate in the Server Hello, it generates a temporary certificate signed by the built-in 'Fortinet_CA_Untrusted' certificate.
This temporary certificate is then sent to the client browser which results in the warning to the user that the site is untrusted.
The certificate used can be changed only via CLI as below:
# config firewall ssl-ssh-profile edit <>
set caname "Fortinet_CA_SSL" --> Used when FortiGate can verify the server certificate. set untrusted-caname "Fortinet_CA_Untrusted" --> change the certificate to one that should be used for untrusted connections. end end
2) Ignore -> No change in behavior as compared to a Trusted SSL certificate.
FortiGate will use the default caname 'Fortinet_CA_SSL' to create the temporary certificate.
3) Block -> FortiGate blocks the connection if the server certificate can not be verified.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.