|
These checks and the respective actions to allow, block, or ignore the session/certificate can be configured under the SSL Inspection profile configuration.
For example:
config firewall ssl-ssh-profile
edit <profile_name>
config <service_name>
set expired-server-cert <block/allow/ignore>
set revoked-server-cert <block/allow/ignore>
set untrusted-server-cert <block/allow/ignore>
end
end
Configuration Requirements:
The following elements need to be used for the FortiGate to validate the above elements:
- WebFilter.
- SSL/SSH inspection profile .
- Proxy-based policy.
- For Revoked certificates, enable OCSP-STATUS in 'config vpn certificate settings'.
To view the results of certificate validation performed by FortiGate, enable 'ssl-anomaly-log' under the ssl-ssh-profile configuration.
The default setting for 'ssl-anomaly-log' is enabled and the logs can be found under Log & Report -> SSL.
config firewall ssl-ssh-profile
edit <profile_name>
set ssl-anomaly-log enable
end
A log message will be generated only when the action for the check is set to 'Allow' or 'Block'. 'Ignore' action would allow the SSL session without logging an event on the FortiGate.
- Proxy-based inspection, Certificate Verification/Validation is always performed when the proxy-based firewall policy and getting certificate error while accessing the website need to allow the cert-validation-timeout in SSL-ssh-profile as most likely remote public cert-check-server not responding request of validation in time.
config firewall ssl-ssh-profile
edit "certificate-inspection"
config https
config https
set ports 443
set status deep-inspection
set proxy-after-tcp-handshake disable
set cert-validation-timeout allow <<<<<
set cert-validation-failure block
Below forward and debug logs can confirm the certification validation timeout. The server certificate is re-signed as untrusted:
certificate-status: validation_timeout"
cert:status=fnbam result=unstable timeout
|
