Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rsondal
Staff
Staff

Created on ‎07-15-2022 03:00 PM Edited on ‎10-12-2023 08:56 AM By Moderator

Article Id 217777

Troubleshooting Tip: How to troubleshoot the security alert 'The security certificate was issued by a company you have not chosen to trust.'

Description This article describes troubleshooting tips to solve a security alert popup issue.
Scope FortiGate all firmware.
Solution
  1. The following Security Alerts appear sequentially.
  • outlook.office365.com (Exported Certificate attached)
  • autodiscovery-s.outlook.com (Exported Certificate attached)

 

rsondal_0-1657916712455.png

 

rsondal_1-1657916733117.png

 

  1. View the certificate. It should be signed by FortiGate:

 

rsondal_2-1657916754108.png

 

  1. The issue may be either the firewall doing Deep packet inspection or blocking the site.

 

In deep packet inspection, the FortiGate acts as a MITM (Man-in-the-Middle) and will use its own self-signed CA certificate to re-sign the server certificate. The same will happen with Certificate inspection when the FortiGate needs to present 'BLOCKED PAGE'.

 

  1. See the traffic logs to find the policy that handles this traffic to verify if any UTM (security profiles) is being used on that policy.
  2. Check if the policy has Deep inspection on it. It also could be one of the reasons for an issue to occur.
  3. Check all the UTM’s on that policy, and check the logs for the UTM one by one to see the blocked traffic for the site.

 

rsondal_3-1657916864225.png

 

  1. Check the logs for the web filter (under Log & Report - > Web Filter). (In version 7.2+, under Log & Report > Security Events > Web Filter.) The user will see that outlook.office365.com, Autodiscover-s.outlook.com, and outlook.office.com were getting blocked with the category 'web-based email' and a message belonging to the denied category.
  2. Check if the web-based email was set to 'Block' on the web filter that the policy is using.

 

rsondal_4-1657916893646.png
  1.  But blocking everything with web-based email is not ideal, So exempting certain URL using static URL filter under web-filter profile needs to be done.

 

Example:

The following example is for Autodiscover-s.outlook.com as we can see in the error of the second security alert.

 

rsondal_5-1657916917664.png

 

 

  1. This should fix the issue. Similarly, the other FQDN that was being blocked can also be exempted.

 

Other Option is:

 

  1. Create a new firewall policy with Internet Service as Microsoft Outlook for the destination address and apply no inspection
  2.  Move it above the policy with deep packet inspection

 

Related article:

Using Internet Service in a policy.
Labels:
5918
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.