This can happen with an application server within the internal network that needs to serve users on the internet. Mapping the internal private IP address to a public IP address with VIP is required.

Conditions under which this can happen:

1. The firewall policy which permits traffic from internet to the internal application server is in the inspection mode 'proxy mode'; the SSL inspection profile can be 'certificate inspection', deep-inspection, or custom-deep-inspection. Either way, the internal private IP address may be visible under 'Certificate Subject Alternative Name'.
2. The default certificate is used for the SSL/SSH inspection profile.

How to check if the internal IP address is visible on the Internet:

The internal IP address can be seen on 'censys search'.

Go to https://search.censys.io/ and enter the public IP address (external IP under VIP configuration on FortiGate). Under 'HTTP 8015/TCP', find TLS > Certificate. Check to see if the internal private IP is visible.

Alternatively, check by entering https://x.x.x.x:8015 in the browser (where x.x.x.x is the public IP address) and then select the certificate details to see if 'Certificate Subject Alternative Name' reveals the private IP.

How to fix:

1. Choose the 'custom-deep-inspection' SSL inspection profile under the firewall policy governing this traffic since it is the only profile that is editable by default, and disable the Server’s certificate SNI check.

config firewall ssl-ssh-profile
    edit "custom-deep-inspection" <- SSL/SSH inspection profile.
        config https
            set sni-server-cert-check disable <- Disable.
        end
    next
end

2. If option 1 above did not fix it, change the certificate to custom, purchased/issued by a known certificate authority.