Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vifi
Staff
Staff

Created on ‎07-25-2025 04:28 AM Edited on ‎07-25-2025 04:30 AM By Community Manager

Article Id 403025

Technical Tip: How to resolve 'certificate-probe-failed' error for mask-h2.icloud.com

Description This article describes how to resolve the 'certificate-probe-failed' error for mask-h2.icloud.com
Scope FortiGate v7.4.x.
Solution

In Security Logs -> SSL logs, there are a lot of SSL-anomaly logs for mask-h2.icloud.com

 

time=""07:15:31""","devid=""FGXXXXXXXXXX""","vd=""FFF""","type=""utm""","subtype=""ssl""","action=""bypass""","bid=32076206","devname=""IFG""",""","dstepid=101","dsteuid=3","dstintf=""FFFoutside""","dstintfrole=""lan""","dstip=""17.248.248.123""","dstport=443","dstuuid=""f84dc972-b00c-51e7-bde1-f5861a210eb0""","dvid=1053","epid=3","euid=3","eventsubtype=""certificate-probe-failed""","eventtime=1751958931577967864","eventtype=""ssl-anomaly""","hostname=""mask-h2.icloud.com""","id=7524606312588514193","level=""notice""","logid=""1700062306""","logver=704082795","msg=""SSL connection is bypassed due to unable to retrieve server's certificate""","policyid=94","policytype=""policy""","poluuid=""3ee8b2a2-cea3-51e7-2863-bc943b189f6a""","profile=""custom-cert-inspection""","proto=6","service=""SSL""","sessionid=3361964428","sni=""mask-h2.icloud.com""","srccountry=""Reserved""","srcintf=""XL-FF_inside""","srcintfrole=""lan""","srcip=""10.155.177.74""","srcport=60994","srcuuid=""f77bc4fc-b53b-51e7-eb3a-2c5a21b0b403"""

 

To check the cause of SSL anomalies, IPS debugs need to be collected:

 

diagnose debug reset
diagnose ips filter set 'host x.x.x.x' <----- source IP.
diagnose debug console timestamp enable
diagnose ips debug enable all
diagnose ips pme debug enable
diagnose debug enable


In debugs:

 

2025-07-09 14:31:17 [22858@-1]eng_debug_log: Probe info:
2025-07-09 14:31:17 [22858@-1]eng_debug_log: Server: 17.248.131.26:443
2025-07-09 14:31:17 [22858@-1]eng_debug_log: Server name: mask-h2.icloud.com
2025-07-09 14:31:17 [22858@-1]eng_debug_log: STARTTLS: no
2025-07-09 14:31:17 [22858@-1]eng_debug_log: Probe failed: fatal alert code=47--------------------------->>>>
2025-07-09 14:31:17 [22858@-1]eng_debug_log: parallel probes: 1
2025-07-09 14:31:17 [22858@-1]eng_debug_log: Memory usage: 587 KiB, errors: 1252913
2025-07-09 14:31:17 [623@-1]probe_finish: probe finished unsuccessfully. id: 1536175, sess: 88481239

 

This issue is investigated under known issue: 1141367, and it will be fixed in v7.4.9.

Workaround:

Allow 'cert-probe-failure' in the SSL/SSH profile that is used in the firewall policy, and add a static URL filter as below:

 

  1. Use the following commands:

 

config firewall ssl-ssh-profile
    edit <name>
        config https
            set cert-probe-failure allow <--------

 

  1. Configure a static URL filter in the Web Filter profile used in the Firewall Policy:

                           exeem.png
756
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.