FortiGate.

1. Certificate probing: certificate-probe is a feature that was introduced in v7.0.
2. This feature is used by v7.0 and above to pre-probe the server for its certificate so that read-only certificate inspection is done before a client-server connection is established.
3. FortiGate's probe to the server fails because of one of the following reasons:

• TCP handshake fails.
• TLS handshake fails.
• The probe traffic is misrouted and does not reach the server.
• The Root or Intermediate CA of the server certificate is not trusted or installed on the FortiGate device.
  • Commonly used for internal servers where also using internal CAs. In such cases, import those CAs to the trust store of FortiGate. Refer to the CA certificate section in the Administration Guide.

In FortiGate, the 'certificate-probe-failed' process works as follows:

When FortiGate connects to a server (for example, for SSL VPN, web filtering, or HTTPS inspection), it checks the server's certificate for:

• Validity (not expired or revoked).
• Trust (issued by a trusted CA).
• Correct domain name (matches the hostname).

If the certificate fails validation (for example: expired, untrusted, or mismatched), FortiGate flags it as 'certificate-probe-failed'.

Certificate probe traffic may require additional parameters to reach the destination server correctly.

Certificate probe traffic can be controlled with the following options below.

config ips global

    config tls-active-probe
        set interface-selection-method <auto|sdwan|specify>
        set interface <intf name> - when method 'specify'
        set vdom <vdom name> - when method 'sdwan' or 'specify'
        set source-ip <source_ipv4> - when method 'sdwan' or 'specify'
        set source-ip6 <source_ipv6> - when method 'sdwan' or 'specify'
    end

end

4. This is because the first client 'Hello' seen on the server side is a forged Client-Hello sent by FortiGate to probe the server's certificate. However, the server does not recognize this Client Hello as it would in inspection mode, so the handshake fails.
5. The default behavior is for the FortiGate read-only certificate to drop the client session to that server as the server does not accept the FortiGate probe.
6. This failure results in the termination of the original SSL session from client to server. Hence, this allows the option to be added from v7.0.1 onward.

As it is impossible to modify any option for a 'read-only certificate', creating a clone of the 'read-only certificate' and setting the action as 'allow' instead of the default action as 'block' for the HTTPS protocol is recommended.

This behavior is controlled by the set cert-probe-failure [block|allow] setting in the SSL Inspection profile.

This setting will allow the original SSL connection to continue when the certificate-probe attempt fails. This feature is available per protocol.

Using the CLI :

config firewall ssl-ssh-profile

    edit <certificate profile name>

        config <protocol name>

            set cert-probe-failure [allow | block] --> Default action is block; change it to allow.

Note:

1. Starting from v7.6.0, the default action is set to 'allow'. Reference configuration in the CLI:

config firewall ssl-ssh-profile<----- This command is used to modify the SSL-ssh inspection profile.

    edit <Clone of certificate-inspection><----- This command is used to modify the configured inspection profile.

config https <----- This command is used to modify the settings of the HTTPS protocol.

    set cert-probe-failure allow <----- This command is used to change firewall behavior when pre-probe fails (Default action is Block).

    end

end

List of available protocols for which the invalid-server-cert action can be modified:

• SSL.
• HTTPS.
• FTPS.
• IMAPS.
• POP3S.
• SMTPS.
• SSH.

See the CLI reference for more information about configuring each.

If FortiGate fails in 'certificate-probe' and the 'certificate-probe-failed' is allowed, FortiGate cannot get the server certificate for the deep inspection, then it will pass the session. For example, if the server certificate has expired, and FortiGate is set to block the expired certificate because FortiGate cannot see the server certificate, it passes the session.

In the FortiGate log, it will show two different logs, the first log shows 'eventsubtype="certificate-probe-failed"', and the following log will show 'action="bypass"'.

The HTTP certificate probe failed logs will be visible under Log and Report -> Security Events -> SSL:

Example:

date=2025-01-21 time=18:24:47 id=7462312776933834936 itime="2025-01-21 18:24:47" euid=3 epid=51504 dsteuid=3 dstepid=101 logflag=0 logver=704062726 devid="FG6H0FXXXXXXXXXX" vd="root" type="utm" subtype="ssl" level="notice" sessionid=614289322 policyid=160 srcip=172.30.0.160 dstip=20.122.253.43 srcport=50908 dstport=443 proto=6 logid=1700062306 service="SSL" action="bypass" eventtime=1737455087728722267 srcintfrole="undefined" dstintfrole="undefined" srcintf="x2" dstintf="x1" eventtype="ssl-anomaly" hostname="www.catalog.update.microsoft.com" msg="SSL connection is bypassed due to unable to retrieve server's certificate" tz="+0800" eventsubtype="certificate-probe-failed" srcuuid="b08738ae-db0e-51eb-6117-cd4931cba94b" dstuuid="b08738ae-db0e-51eb-6117-cd4931cba94b" tlsver="tls1.3" sni="www.catalog.update.microsoft.com" policytype="security-policy" srccountry="Reserved" dstcountry="United States" poluuid="3648201e-b91b-51ef-64a2-449af6c0c252" dtime="2025-01-21 18:24:47" itime_t=1737455087 devname="FG6H0FXXXXXXXXXX"

When running the debug, it is possible to find the Probe failed message:

diagnose ips filter set "host x.x.x.x"  <----- testPC's IP address.
diagnose ips debug enable urlfilter
diagnose ips debug enable ssl
diagnose debug console timestamp enable
diagnose debug enable

  [415@-1]eng_debug_log: Probe info:
 [415@-1]eng_debug_log: Server: 13.238.11.13:443
 [415@-1]eng_debug_log: Server name: secure-dcr.imrworldwide.com
 [415@-1]eng_debug_log: STARTTLS: no
 [415@-1]eng_debug_log: Probe failed: unable to connect  <-----------------
 [415@-1]eng_debug_log: parallel probes: 1
 [415@-1]eng_debug_log: Memory usage: 340 KiB, errors: 2985
 [417@-1]probe_finish: probe finished unsuccessfully. id: 8425, sess: 33192 <-----------------
 [417@-1]ssl_resume_sess: sess 33192: ssl resume

2. 'cert-probe-failure' option is available for custom deep SSL inspection profiles starting at v7.2.4+ and v7.4.0+
3. To configure the 'cert-probe-failure' option, inspect all ports that should be disabled.
4. Changing the inspection mode from Proxy to flow-based will prevent the SSL anomaly and allow the traffic.
5. Starting v7.6.0+ the 'cert-probe-failure' command is no longer available on 40F, 41F, 60F, 61F, and their variants.  Proxy-related features were removed from these models starting in v7.4.4. Proxy-related features no longer supported on FortiGate 2 GB RAM models

6. As of FortiOS releases v7.2.10, v7.4.5, and v7.6.1, certificate inspection is enforced as explained in the FortiOS v7.4.5 release notes, under Bug ID: 1004258. More info is available in Troubleshooting Tip: How to fix 'SSL connection is blocked due to unable to retrieve servers certifi....