Description | This article describes how to resolve the issue to allow HTPPS (port 443) traffic when a certificate-probe-failed error message occurs on FortiGate SSL logs that block all the traffic when read only certificate inspection is used. |
Scope |
1) Certificate probing: certificate-probe is a feature that was introduced in Forti-OS 7.0.
3) FortiGate's probe to the server fails because of either of the below reasons:
A. TCP handshake fails.
4) It is because the first Client Hello seen on server side is an forged Client-Hello sent by FortiGate to probe server's certificate.But, server does not like (Recognise) this Client Hello like in inspection mode, and handshake fails.
|
Solution |
As it is not possible to modify any option for 'read only certificate' ; recommendation is to create a clone of 'read only certificate' and set action as allow instead of default action as block for HTTPS protocol.
This behavior is controlled by the set cert-probe-failure [block|allow] setting in the SSL Inspection profile.
This settings will allow the original SSL connection to continue when certificate-probe get failed. This feature is available per protocol.
Using CLI :
#config firewall ssl-ssh-profile
Reference Config CLI :
neutron-esx12 # config firewall ssl-ssh-profile <----- This command is use to modify ssl-ssh inspection profile.
List of available protocol for which invalid-server-cert action can be modified :
ssl Configure SSL options.
Reference document : https://docs.fortinet.com/document/fortigate/7.0.1/cli-reference/316620/config-firewall-ssl-ssh-prof...
Note. Be notified that cert-probe-failure option is not available for custom deep inspections certificates. This option is available only for certificate and clone of certificate inspection. |