Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gbamania
Staff
Staff

Created on ‎07-04-2022 02:59 AM Edited on ‎01-12-2023 07:25 AM By Moderator

Article Id 216625

Technical Tip: How does FortiGate checks the Website Certificates and allow/deny the SSL connection

Description

This article describes that FortiGate does the following checks in a certificate and will further block or allow the connection based on the SSL inspection profile configuration.

 

- Date or certificate expiry.

- Certificate Revocation Check.

- Certificate Chain of Trust.
Scope FortiGate.
Solution

These checks and the respective actions to allow, block or ignore the session/certificate can be configured under the SSL Inspection profile configuration.

 

For example:

 

# config firewall ssl-ssh-profile

    edit <profile_name>

    config <service_name>

        set expired-server-cert <block/allow/ignore>
        set revoked-server-cert <block/allow/ignore>
        set untrusted-server-cert <block/allow/ignore>

    end

end

 

In order for FortiGate to perform these checks, a web-filtering profile should be enabled along with an SSL-inspection profile in the firewall policy.

Note:

 

- Certificate Verification/Validation is not performed when the firewall policy is in flow-based with the Certificate Inspection profile.

 

- However, a deep inspection profile enabled on a flow-based firewall policy can perform those checks.

 

- In the case of Proxy-based inspection, Certificate Verification/Validation is always performed when the proxy-based firewall policy has a certificate inspection or deep inspection profile enabled.

To view the results of certificate validation performed by FortiGate, enable 'ssl-anomaly-log' under the ssl-ssh-profile configuration.

 

The default setting for 'ssl-anomaly-log' is enabled and the logs can be found under Log & Report -> SSL.

 

# config firewall ssl-ssh-profile

    edit <profile_name>

        set ssl-anomaly-log enable

end

 

A log message will be generated only when the action for the check is set to 'Allow' or 'Block'. 'Ignore' action would allow the SSL session without logging an event on the FortiGate.

 

- Proxy-based inspection, Certificate Verification/Validation is always performed when the proxy-based firewall policy and getting certificate error while accessing the website need to allow the cert-validation-timeout in SSL-ssh-profile as most likely remote public cert-check-server not responding request of validation in time.

 

# config firewall ssl-ssh-profile
    edit "certificate-inspection"
    config https
    config https
        set ports 443
        set status deep-inspection
        set proxy-after-tcp-handshake disable

        set cert-validation-timeout allow <<<<<
        set cert-validation-failure block

Below forward and debug logs can confirm the certification validation timeout. The server certificate is re-signed as untrusted:

 

certificate-status: validation_timeout"

cert:status=fnbam result=unstable timeout
 
Labels:
3541
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.