FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 216625

This article describes that FortiGate does the following checks in a certificate and will further block or allow the connection based on the SSL inspection profile configuration.


- Date or certificate expiry.

- Certificate Revocation Check.

- Certificate Chain of Trust.

Scope FortiGate.

These checks and the respective actions to allow, block or ignore the session/certificate can be configured under the SSL Inspection profile configuration.


For example:


# config firewall ssl-ssh-profile

    edit <profile_name>

    config <service_name>

        set expired-server-cert <block/allow/ignore>
        set revoked-server-cert <block/allow/ignore>
        set untrusted-server-cert <block/allow/ignore>




In order for FortiGate to perform these checks, a web-filtering profile should be enabled along with an SSL-inspection profile in the firewall policy.



- Certificate Verification/Validation is not performed when the firewall policy is in flow-based with the Certificate Inspection profile.


- However, a deep inspection profile enabled on a flow-based firewall policy can perform those checks.


- In the case of Proxy-based inspection, Certificate Verification/Validation is always performed when the proxy-based firewall policy has a certificate inspection or deep inspection profile enabled.

To view the results of certificate validation performed by FortiGate, enable 'ssl-anomaly-log' under the ssl-ssh-profile configuration.


The default setting for 'ssl-anomaly-log' is enabled and the logs can be found under Log & Report -> SSL.


# config firewall ssl-ssh-profile

    edit <profile_name>

        set ssl-anomaly-log enable



A log message will be generated only when the action for the check is set to 'Allow' or 'Block'. 'Ignore' action would allow the SSL session without logging an event on the FortiGate.


- Proxy-based inspection, Certificate Verification/Validation is always performed when the proxy-based firewall policy and getting certificate error while accessing the website need to allow the cert-validation-timeout in SSL-ssh-profile as most likely remote public cert-check-server not responding request of validation in time.


# config firewall ssl-ssh-profile
    edit "certificate-inspection"
    config https
    config https
        set ports 443
        set status deep-inspection
        set proxy-after-tcp-handshake disable

        set cert-validation-timeout allow <<<<<
        set cert-validation-failure block

Below forward and debug logs can confirm the certification validation timeout. The server certificate is re-signed as untrusted:


certificate-status: validation_timeout"

cert:status=fnbam result=unstable timeout