Created on 12-13-2021 04:12 PM Edited on 02-26-2024 05:14 AM By Jean-Philippe_P
Description | This article describes how to resolve an issue with allowing HTTPS (port 443) traffic when a certificate-probe-failed error message occurs on FortiGate SSL logs that block all the traffic while read-only certificate inspection is used. |
Scope |
FortiGate. |
Solution |
*** Certificate probe traffic may require additional parameters to reach the destination server correctly. Certificate probe traffic can be controlled with the following options below.
config ips global config tls-active-probe end
As it is impossible to modify any option for a 'read-only certificate', creating a clone of the 'read-only certificate' and setting the action as 'allow' instead of the default action as 'block' for HTTPS protocol is recommended.
This behavior is controlled by the set cert-probe-failure [block|allow] setting in the SSL Inspection profile.
This setting will allow the original SSL connection to continue when the certificate-probe attempt fails. This feature is available per protocol.
Using the CLI :
config firewall ssl-ssh-profile edit <certificate profile name> config <protocol name> set cert-probe-failure [allow | block] (Default action is block; change it to allow)
Reference configuration in the CLI:
config firewall ssl-ssh-profile <- This command is used to modify the SSL-ssh inspection profile. edit Clone of certificate-inspection <- This command is used to modify the configured inspection profile. config https <- This command is used to modify the settings of the HTTPS protocol. set cert-probe-failure allow <- This command is used to change firewall behavior when pre-probe failed (Default action is Block). end end
List of available protocols for which the invalid-server-cert action can be modified:
See the CLI reference for more information about configuring each.
If FortiGate fails in 'certificate-probe' and the 'certificate-probe-failed' is allowed, FortiGate cannot get the server certificate for the deep inspection, then it will pass the session. For example, if the server certificate has expired, and FortiGate is set to block the expired certificate because FortiGate cannot see the server certificate, it passes the session. In the FortiGate log, it will show two different logs, the first log shows 'eventsubtype="certificate-probe-failed"', and the following log will show 'action="exempt"'.
Note:
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.