This article describes how to resolve an issue when FortiGate SSL profile blocks all HTTPS (port 443) traffic due a certificate-probe-failed error message while read-only certificate inspection is used.

FortiGate.

Certificate probing (certificate-probe) is a feature that was introduced in v7.0: This feature is used by v7.0 and above to pre-probe the server for its certificate, the FortiGate performs a CERTIFICATE INSPECTION before the actual client-server connection is established.

The certificate-probe fails because of one of the following reasons:

1. The TCP handshake fails.
2. TLS handshake fails: Diagnosis SSL/TLS handshake failures
3. The probe traffic is misrouted and does not reach the server.
4. The Root or Intermediate CA of the server certificate is not trusted or installed on the FortiGate device.
   • Commonly used for internal servers where also using internal CAs. In such cases, import those CAs into the trust store of FortiGate. Refer to the CA certificate section in the Administration Guide
5. The server's certificate is expired, revoked or the domain name does not match

Note:

The host name value is validated against the DNS entry in the Subject Alternative Name (SAN) extension first and only if that is not present, is the host name validated against the subject DN's common name. The certificate-probe works as follows:

1. Before the FortiGates allow the connection between a workstation and a remote server through any protocol (SSL VPN, HTTPs). The FortiGates sends a HELLO pakcets to the server expecting to stablish a SSL/TLS connection to the server.
2. When the FortiGate receives the SERVER CERTIFICATE, it checks the server's certificate for:
   
   • Validity (not expired or revoked).
   • Trust (issued by a trusted CA).
   • Correct domain name (matches the hostname).
     If the certificate fails validation (for example, expired, untrusted, or mismatched), FortiGate flags it as 'certificate-probe-failed'.
3. If due any reason the server does not reply to the FortiGate, the handshake would fail, therefore certificate-probe would fail, and the connection will be blocked. The server could not reply to the FortiGate due several reasons:
   
   
   1. If the server does not expect to receive a hello from the FortiGate IP.
   2. If the server does not trust on the CA that signs the certificate of the FortiGate.

Troubleshooting:

Certificate probe traffic may require additional parameters to reach the destination server correctly. Certificate probe traffic can be controlled with the following options:

config ips global

    config tls-active-probe
        set interface-selection-method <auto|sdwan|specify>
        set interface <intf name> - when method 'specify'
        set vdom <vdom name> - when method 'sdwan' or 'specify'
        set source-ip <source_ipv4> - when method 'sdwan' or 'specify'
        set source-ip6 <source_ipv6> - when method 'sdwan' or 'specify'
    end

end

Correction actions:

The default behavior is to drop the client session, as the server does not accept the FortiGate probe. This drop will be logged as a BLOCKED connection due SSL profile. 

date="2025-01-01" time="12:00:00" ..... type="utm" subtype="ssl" level="warning" policyid=20 srcip="10.0.1.1" dstip="34.123.123.123" srcport=54275 dstport=443 proto=6 service="HTTPS" action="blocked" eventtype="ssl-anomaly" profile="Certificate-Inspection" hostname="example.com" eventsubtype="certificate-probe-failed" 

The default 'certification inspection' profile is read-only:

config firewall ssl-ssh-profile

    edit <certificate profile name>

        config <protocol name>

            set cert-probe-failure [allow | block] --> Default action is block; change it to allow.

              end

    next

end

This setting will allow the original SSL connection to continue when the certificate-probe attempt fails. This feature is available per protocol.

Note:

1. Starting from v7.6.0, the default action is set to 'allow'. Reference configuration in the CLI:

config firewall ssl-ssh-profile  <----- This command is used to modify the SSL-ssh inspection profile.

    edit <Clone of certificate-inspection>  <----- This command is used to modify the configured inspection profile.

           config https <----- This command is used to modify the settings of the HTTPS protocol.

            set cert-probe-failure allow <----- This command is used to change firewall behavior when pre-probe fails (Default action is Block).

        end

end

List of available protocols for which the invalid-server-cert action can be modified:

• SSL.
• HTTPS.
• FTPS.
• IMAPS.
• POP3S.
• SMTPS.
• SSH.

See this document: config firewall ssl-ssh-profile for more information about configuring each.

If FortiGate fails in 'certificate-probe' and the 'certificate-probe-failed' is allowed, FortiGate cannot get the server certificate for the deep inspection, and then it will pass the session.

For example, if the server certificate has expired, and FortiGate is set to block the expired certificate because FortiGate cannot see the server certificate, it passes the session. In the FortiGate log, it will show two different logs, the first log shows 'eventsubtype="certificate-probe-failed"', and the following log will show 'action="bypass"'.

The HTTP certificate probe failed logs will be visible under Log and Report -> Security Events -> SSL:

Example:

date=2025-01-21 time=18:24:47 id=7462312776933834936 itime="2025-01-21 18:24:47" euid=3 epid=51504 dsteuid=3 dstepid=101 logflag=0 logver=704062726 devid="FG6H0FXXXXXXXXXX" vd="root" type="utm" subtype="ssl" level="notice" sessionid=614289322 policyid=160 srcip=172.30.0.160 dstip=20.122.253.43 srcport=50908 dstport=443 proto=6 logid=1700062306 service="SSL" action="bypass" eventtime=1737455087728722267 srcintfrole="undefined" dstintfrole="undefined" srcintf="x2" dstintf="x1" eventtype="ssl-anomaly" hostname="www.catalog.update.microsoft.com" msg="SSL connection is bypassed due to unable to retrieve server's certificate" tz="+0800" eventsubtype="certificate-probe-failed" srcuuid="b08738ae-db0e-51eb-6117-cd4931cba94b" dstuuid="b08738ae-db0e-51eb-6117-cd4931cba94b" tlsver="tls1.3" sni="www.catalog.update.microsoft.com" policytype="security-policy" srccountry="Reserved" dstcountry="United States" poluuid="3648201e-b91b-51ef-64a2-449af6c0c252" dtime="2025-01-21 18:24:47" itime_t=1737455087 devname="FG6H0FXXXXXXXXXX"

When running the debug, it is possible to find the Probe failed message:

diagnose ips filter set "host x.x.x.x"  <----- testPC's IP address.
diagnose ips debug enable urlfilter
diagnose ips debug enable ssl
diagnose debug console timestamp enable
diagnose debug enable

  [415@-1]eng_debug_log: Probe info:
 [415@-1]eng_debug_log: Server: 13.238.11.13:443
 [415@-1]eng_debug_log: Server name: secure-dcr.imrworldwide.com
 [415@-1]eng_debug_log: STARTTLS: no
 [415@-1]eng_debug_log: Probe failed: unable to connect  <-----------------
 [415@-1]eng_debug_log: parallel probes: 1
 [415@-1]eng_debug_log: Memory usage: 340 KiB, errors: 2985
 [417@-1]probe_finish: probe finished unsuccessfully. id: 8425, sess: 33192 <-----------------
 [417@-1]ssl_resume_sess: sess 33192: ssl resume

• 'cert-probe-failure' option is available for custom deep SSL inspection profiles starting at v7.2.4+ and v7.4.0+
• To configure the 'cert-probe-failure' option, the "inspect all ports" should be disabled.
• Changing the inspection mode from PROXY-BASE to FLOW-BASE will prevent the SSL anomaly and allow the traffic.
• Starting v7.6.0+ the 'cert-probe-failure' command is no longer available on 40F, 41F, 60F, 61F, and their variants.  Proxy-related features were removed from these models starting in v7.4.4.
  Proxy-related features no longer supported on FortiGate 2 GB RAM models

• As of FortiOS releases v7.2.11, v7.4.5, and v7.6.1, certificate inspection is enforced as explained in the FortiOS v7.4.5 release notes, under Bug ID: 1004258. More info is available in Troubleshooting Tip: How to fix 'SSL connection is blocked due to unable to retrieve servers certifi...