FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
abarad
Staff
Staff
Description This article describes  how to resolve the issue to allow HTPPS (port 443) traffic when a certificate-probe-failed error message occurs on
FortiGate SSL logs that block all the traffic when read only certificate inspection is used.
Scope

1) Certificate probing: certificate-probe is a feature that was introduced in Forti-OS 7.0.


2) This feature is used by fortiGATE OS 7.0 and above to pre-probe the server for it's certificate so that read only certificate inspection is done before a client-server connection is established.

 

3) FortiGate's probe to the server fails because of either of the below reasons:

 

A. TCP handshake fails.
B. TLS handshake fails.
C. The probe traffic is misrouted and doesn't reach the server.

 

4) It is because the first Client Hello seen on server side is an forged Client-Hello sent by FortiGate to probe server's certificate.But, server does not like (Recognise) this Client Hello like in inspection mode, and handshake fails.


5) The default behavior is for the FortiGate read only certificate to drop the client session to that server as server does not accept the FortiGate's probe.


6) This failure results in the terminates of the original SSL session from client to server. Hence, this allows option was added from 7.0.1 onward.

Solution

As it is not possible to modify any option for 'read only certificate' ; recommendation is to create a clone of 'read only certificate' and 

set action as allow instead of default action as block for 

HTTPS protocol.

 

This behavior is controlled by the set cert-probe-failure [block|allow] setting in the SSL Inspection profile.

 

This settings will allow the original SSL connection to continue when certificate-probe get failed.

This feature is available per protocol.

 

Using CLI :

 

#config firewall ssl-ssh-profile
   edit <certificate profile name>
   #config <protocol name>
       set cert-probe-failure [allow | block] (Default action is block; change it to allow

 

Reference Config CLI :

 

neutron-esx12 # config firewall ssl-ssh-profile <----- This command is use to modify ssl-ssh inspection profile.


neutron-esx12 (ssl-ssh-profile) edit Clone of certificate-inspection <----- This command is used to modify configured inspection profile


neutron-esx12 (Clone of certificate-inspection) # config https <----- This command is use to modify settings of HTTPS protocol.


neutron-esx12 (https) set cert-probe-failure allow <----- This command is use to change firewall behavior when pre-probe failed (Default action is Block).


neutron-esx12 (https) end


neutron-esx12 (Clone of certificate-inspection) end

 

List of available protocol for which invalid-server-cert action can be modified :

 

ssl Configure SSL options.
https Configure HTTPS options.
ftps Configure FTPS options.
imaps Configure IMAPS options.
pop3s Configure POP3S options.
smtps Configure SMTPS options.
ssh Configure SSH options.

 

Reference document :

https://docs.fortinet.com/document/fortigate/7.0.1/cli-reference/316620/config-firewall-ssl-ssh-prof...
https://docs.fortinet.com/document/fortigate/7.0.0/cli-reference/316620/config-firewall-ssl-ssh-prof...

 

Note.

Be notified that cert-probe-failure option is not

available for custom deep inspections certificates.

This option is available only for certificate and clone of certificate inspection.

Contributors