FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 229966

This article describes a use case where SSL Deep Inspection is enabled on FortiGate and when the destination host/webserver requires the client to present its Client Certificate during SSL/TLS negotiation as part of authentication.

Scope FortiGate.

Currently, FortiGate does not support relaying the Client Certificate to the web server and at the same time performing Deep inspection of the SSL/TLS session in either of the following deep inspection modes.


Configuring Deep Inspection profile on FortiGate:

# config firewall ssl-ssh-profile
    edit <Profile-name>
    server-cert-mode ?        

    re-sign <----- Multiple Clients Connecting to Multiple Servers.



replace      <----- Protect an SSL server.


# config https

    set ports 443
    set client-certificate ?

    bypass     <----- Bypass the session.

    inspect    <----- Inspect the session.

    block      <----- Block the session.

- When client-certificate setting is set to 'bypass', FortiGate will exempt that session from SSL deep inspection and pass the client certificate to the server for SSL/TLS negotiation. Deep inspection is not performed in this case.


- When client-certificate setting is set to 'inspect', FortiGate performs deep inspection but won’t send the Client Certificate to Server.

Thus, it could lead to SSL/TLS negotiation issues and connection drop. FortiOS does not support re-signing Client Certificates via deep inspection configuration. Only supported by FortiProxy.


- When client-certificate setting is set to 'block', FortiGate will block the session when it receives the client-certificate during SSL/TLS negotiation.


Alternate Solution:
FortiGate supports client certificate authentication used in mutual Transport Layer Security (mTLS) communication between a client and server.


Related document: