Fortinet Community

abarad · ‎12-13-2021

Description

This article describes how to resolve the issue to allow HTPPS (port 443) traffic when a certificate-probe-failed error message occurs on
FortiGate SSL logs that block all the traffic when read only certificate inspection is used.

Scope

1) Certificate probing: certificate-probe is a feature that was introduced in Forti-OS 7.0.

2) This feature is used by fortiGATE OS 7.0 and above to pre-probe the server for it's certificate so that read only certificate inspection is done before a client-server connection is established.

3) FortiGate's probe to the server fails because of either of the below reasons:

A. TCP handshake fails.
B. TLS handshake fails.
C. The probe traffic is misrouted and doesn't reach the server.

4) It is because the first Client Hello seen on server side is an forged Client-Hello sent by FortiGate to probe server's certificate.But, server does not like (Recognise) this Client Hello like in inspection mode, and handshake fails.

5) The default behavior is for the FortiGate read only certificate to drop the client session to that server as server does not accept the FortiGate's probe.

6) This failure results in the terminates of the original SSL session from client to server. Hence, this allows option was added from 7.0.1 onward.

Solution

As it is not possible to modify any option for 'read only certificate' ; recommendation is to create a clone of 'read only certificate' and

set action as allow instead of default action as block for

HTTPS protocol.

This behavior is controlled by the set cert-probe-failure [block|allow] setting in the SSL Inspection profile.

This settings will allow the original SSL connection to continue when certificate-probe get failed.

This feature is available per protocol.

Using CLI :

#config firewall ssl-ssh-profile
edit <certificate profile name>
#config <protocol name>
set cert-probe-failure [allow | block] (Default action is block; change it to allow

Reference Config CLI :

neutron-esx12 # config firewall ssl-ssh-profile <----- This command is use to modify ssl-ssh inspection profile.

neutron-esx12 (ssl-ssh-profile) edit Clone of certificate-inspection <----- This command is used to modify configured inspection profile

neutron-esx12 (Clone of certificate-inspection) # config https <----- This command is use to modify settings of HTTPS protocol.

neutron-esx12 (https) set cert-probe-failure allow <----- This command is use to change firewall behavior when pre-probe failed (Default action is Block).

neutron-esx12 (https) end

neutron-esx12 (Clone of certificate-inspection) end

List of available protocol for which invalid-server-cert action can be modified :

ssl Configure SSL options.
https Configure HTTPS options.
ftps Configure FTPS options.
imaps Configure IMAPS options.
pop3s Configure POP3S options.
smtps Configure SMTPS options.
ssh Configure SSH options.

Reference document :

https://docs.fortinet.com/document/fortigate/7.0.1/cli-reference/316620/config-firewall-ssl-ssh-prof...
https://docs.fortinet.com/document/fortigate/7.0.0/cli-reference/316620/config-firewall-ssl-ssh-prof...

Note.

Be notified that cert-probe-failure option is not

available for custom deep inspections certificates.

This option is available only for certificate and clone of certificate inspection.

Fortinet Community

Technical Tip: How to allow HTTPS (port 443) traffic when certificate-probe-failed error occurred in FortiGate SSL logs Log and report SSL that blocks traffic when read only certificate inspection is used.