Kenichi_Terashita_FT
Staff
Created on 07-13-2010 12:08 AM Edited on 05-26-2022 07:38 AM By Anonymous
Article Id
195742
Description
This article provides a workaround for the situation where SSL Inspection fails when FortiGate verifies the server certificate using the CA certificate which is installed on the FortiGate.
When FortiGate can verify Original Server Certificates by using the CA Certificate which is already installed on the FortiGate, the SSL connection will fail because the FortiGate considers that the certificates are invalid.
Two examples would be:
- FortiManager WebUI provides a server certificate which was signed by Fortinet_CA. This CA Certificate is already installed into any FortiGate, so the issue will occur.
- If the administrator installs another CA Certificate, it would occur if the Original Server Certificate is signed by the CA Certificate.
Workaround
Workaround 1
Enable the allow-invalid-server-cert option. This option can allow any invalid server certificates.
FortiOS 4.0 MR1 and before
config firewall profile edit <name> set <protocol> allow-invalid-server-cert next end |
config firewall profile-protocol-options
edit <name> config <protocol> set options allow-invalid-server-cert end next end |
Workaround 2
Upgrade to FortiOS 4.0 MR2, build 256.
Related Articles
Technical Tip: How to enable Deep Content Inspection
Troubleshooting Tip : Verifying server certificate on SSL Inspection
Labels: