FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes a use case where SSL Deep Inspection is enabled on FortiGate and when the destination host/webserver requires the client to present its Client Certificate during SSL/TLS negotiation as part of authentication.
Scope
FortiGate.
Solution
Currently, FortiGate does not support relaying the Client Certificate to the web server and at the same time performing Deep inspection of the SSL/TLS session in either of the following deep inspection modes.
re-sign <----- Multiple Clients Connecting to Multiple Servers.
or
replace <----- Protect an SSL server.
config https
set ports 443 set client-certificate ?
bypass <----- Bypass the session.
inspect <----- Inspect the session.
block <----- Block the session. end
When client-certificate setting is set to 'bypass', FortiGate will exempt that session from SSL deep inspection and pass the client certificate to the server for SSL/TLS negotiation. Deep inspection is not performed in this case.
When client-certificate setting is set to 'inspect', FortiGate performs deep inspection but won’t send the Client Certificate to Server. Thus, it could lead to SSL/TLS negotiation issues and connection drop. FortiOS does not support re-signing Client Certificates via deep inspection configuration. Only supported by FortiProxy.
When client-certificate setting is set to 'block', FortiGate will block the session when it receives the client-certificate during SSL/TLS negotiation.
Solution 2: FortiGate supports client certificate authentication used in mutual Transport Layer Security (mTLS) communication between a client and server.
