This article describes a use case where SSL Deep Inspection is enabled on FortiGate and when the destination host/webserver requires the client to present its Client Certificate during SSL/TLS negotiation as part of authentication.
Currently, FortiGate does not support relaying the Client Certificate to the web server and at the same time performing Deep inspection of the SSL/TLS session in either of the following deep inspection modes.
Configuring Deep Inspection profile on FortiGate:
re-sign <----- Multiple Clients Connecting to Multiple Servers.
replace <----- Protect an SSL server.
# config https
set ports 443
bypass <----- Bypass the session.
inspect <----- Inspect the session.
block <----- Block the session.
- When client-certificate setting is set to 'bypass', FortiGate will exempt that session from SSL deep inspection and pass the client certificate to the server for SSL/TLS negotiation. Deep inspection is not performed in this case.
- When client-certificate setting is set to 'inspect', FortiGate performs deep inspection but won’t send the Client Certificate to Server.
Thus, it could lead to SSL/TLS negotiation issues and connection drop. FortiOS does not support re-signing Client Certificates via deep inspection configuration. Only supported by FortiProxy.
- When client-certificate setting is set to 'block', FortiGate will block the session when it receives the client-certificate during SSL/TLS negotiation.