Description |
This article describes that FortiGate does the following checks in a certificate and will further block or allow the connection based on the SSL inspection profile configuration:
|
Scope | FortiGate. |
Solution |
These checks and the respective actions to allow, block, or ignore the session/certificate can be configured under the SSL Inspection profile configuration.
For example:
config firewall ssl-ssh-profile edit <profile_name> config <service_name> set expired-server-cert <block/allow/ignore> end end
Configuration Requirements: The following elements need to be used for the FortiGate to validate the above elements:
The default setting for 'ssl-anomaly-log' is enabled and the logs can be found under Log & Report -> SSL.
config firewall ssl-ssh-profile edit <profile_name> set ssl-anomaly-log enable end
A log message will be generated only when the action for the check is set to 'Allow' or 'Block'. 'Ignore' action would allow the SSL session without logging an event on the FortiGate.
config firewall ssl-ssh-profile set cert-validation-timeout allow <<<<<
Below forward and debug logs can confirm the certification validation timeout. The server certificate is re-signed as untrusted:
certificate-status: validation_timeout" cert:status=fnbam result=unstable timeout |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.