FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gbamania
Staff
Staff
Article Id 216625
Description

This article describes that FortiGate does the following checks in a certificate and will further block or allow the connection based on the SSL inspection profile configuration:

  • Date or certificate expiry.
  • Certificate Revocation Check.
  • Certificate Chain of Trust.
Scope FortiGate.
Solution

These checks and the respective actions to allow, block, or ignore the session/certificate can be configured under the SSL Inspection profile configuration.

 

For example:

 

config firewall ssl-ssh-profile

    edit <profile_name>

    config <service_name>

        set expired-server-cert <block/allow/ignore>
        set revoked-server-cert <block/allow/ignore>
        set untrusted-server-cert <block/allow/ignore>

    end

end

 

Configuration Requirements:

The following elements need to be used for the FortiGate to validate the above elements:

  • WebFilter.
  • SSL/SSH inspection profile  .
  • Proxy-based policy.
  • For Revoked certificates, enable OCSP-STATUS in 'config vpn certificate settings'.


To view the results of certificate validation performed by FortiGate, enable 'ssl-anomaly-log' under the ssl-ssh-profile configuration.

 

The default setting for 'ssl-anomaly-log' is enabled and the logs can be found under Log & Report -> SSL.

 

config firewall ssl-ssh-profile

    edit <profile_name>

        set ssl-anomaly-log enable

end

 

A log message will be generated only when the action for the check is set to 'Allow' or 'Block'. 'Ignore' action would allow the SSL session without logging an event on the FortiGate.

 

  • Proxy-based inspection, Certificate Verification/Validation is always performed when the proxy-based firewall policy and getting certificate error while accessing the website need to allow the cert-validation-timeout in SSL-ssh-profile as most likely remote public cert-check-server not responding request of validation in time.

 

config firewall ssl-ssh-profile
    edit "certificate-inspection"
    config https
    config https
        set ports 443
        set status deep-inspection
        set proxy-after-tcp-handshake disable

        set cert-validation-timeout allow <<<<<
        set cert-validation-failure block

 

Below forward and debug logs can confirm the certification validation timeout. The server certificate is re-signed as untrusted:

 

certificate-status: validation_timeout"

cert:status=fnbam result=unstable timeout