Technical Tip: How to allow/block the Expired/Invalid Certificates in firewall ssl-ssh-profile

ppatel · ‎11-25-2021

Description

This article describes how to allow Expired/Invalid Certificates in firewall ssl-ssh-profile.

Scope

FortiGate.

Solution

v6.0.

config firewall ssl-ssh-profile

edit <SSL-SSH-PROFILE-NAME>

set allow-invalid-server-cert [enable | disable]

end

v6.2.

config firewall ssl-ssh-profile

edit <SSL-SSH-PROFILE-NAME>

set invalid-server-cert [allow|block]

end

v6.4 and v7.0.

config firewall ssl-ssh-profile

edit <SSL-SSH-PROFILE-NAME>

set expired-server-cert [allow|block|ignore]

end

Configuration requirements.

Firewall Policy Requirements:
- Web-filter.
- Proxy-based inspection.
SSH/SSL inspection:
- Certificate inspection enabled (deep-inspection optional).

Configuration Example to block expired and revoked certificates (showing only related elements).

SSL/SSH certificate:

F2 (Clone of deep-in~ion) # show
config firewall ssl-ssh-profile
edit "Clone of deep-inspection"

    config https
       set ports 443
       set expired-server-cert block
       set revoked-server-cert block

Firewall Policy:

config firewall policy
edit 1
    set name "IN-OUT-H"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "Clone of deep-inspection"
        set webfilter-profile "default"
next
end

Technical Tip: How to allow/block the Expired/Invalid Certificates in firewall ssl-ssh-profile

You are leaving our website