FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.



This article describes how to block invalid and revoked certificates and test on badssl site.



Under the SSL/SSH inspection profile, set 'Block' for 'invalid SSL certificates'.

1) For

The page is revoked by the Certificate OCSP status check. FortiGate is not doing a strict CRL check, and it is not querying the certificate OCSP by default.
Enable the OCSP status check via the following config change:

# config vpn certificate setting
    set ocsp-option certificate
    set ocsp-status enable           <-----
    set strict-crl-check enable
    set strict-ocsp-check enable
2) For

Below config is required to block invalid certificates:

# config firewall ssl-ssh-profile
    edit "Block_Invalid"
# config https
    set invalid-server-cert block    <-----
    set sni-server-cert-check strict <-----
3) For

Currently there is no plan to support Public-Key-Pins verification during SSL Inspection.
FortiGate administrators can manually block such websites using a WebFilter profile if needed.

- Blocking invalid and revoked certificates would work only upon using full inspection not certificate inspection on flow based policy.

-By design:
>>Flow mode + deep-inspection will block expired and revoked cert.
>>Flow mode + cert-inspection won't block expired and revoked cert.

Related article:

Technical Tip: FortiGate strict CRL check