| Description | This article explains the cause of an issue where, after adding an exemption for a specific website, FortiGate produces errors about certificate issues when the website is using an untrusted certificate. |
| Scope | FortiGate, SSL. |
| Solution |
When using SSL exemptions, FortiGate will ONLY exempt the content of the selected flows from inspection. SSL exemption excludes the session from being 'deep scanned', and UTM inspection would be disabled.
However, checks for trusted or untrusted certificates against SNI or CN are still performed because this happens during the SSL negotiation stage. As a result, the settings are separated into two configuration menus:
Options for certificate inspection:
Options for SSL flow inspection exemptions:
The described behavior is only observed when the firewall policy is set to proxy inspection mode. In the case of flow inspection mode, it is the browser's responsibility to check the certificate for anomalies. |
