|
The behavior is observed on FortiGate 200G/201G running FortiOS v7.6.4, where proxy-mode inspection and deep packet inspection are applied to a firewall policy. The same behavior can be observed using Fortinet's built-in CA certificates (Fortinet_CA_SSL, Fortinet_Default_SSL) and a custom certificate signed by a third-party CA.
config firewall policy
edit 1
set srcintf "port1"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "deep-inspection"
set nat enable
next
end
While accessing any site, the following error is observed.
The WAD debugs on the FortiGate show the following error:
FGT# diagnose debug console timestamp enable
FGT# diagnose wad debug enable level verbose
FGT# diagnose wad debug display pid enable
FGT# diagnose wad debug enable category all
FGT# diagnose wad filter src 172.16.200.10
FGT# diagnose debug enable
[I][p:3689][s:168] wad_tcp_port_on_connect :2066 TCP connection 0x7f5a65895190 fd=130 connected 172.16.200.10:39700->172.16.200.55:443
[I][p:3689][s:168] wad_ssl_port__open :23550 port=0x7f5a65895190 type=7 making SSL port
[V][p:3689][s:168] wad_ssl_negotiate_make :2845 nego=0x7f5a65b7d168
[V][p:3689][s:168] wad_webproxy_global_load_ca_cert :3107 load web-proxy global cert for vd=root, ca/cert = Fortinet_CA_SSL/Fortinet_Default_SSL
[I][p:3689][s:168] wad_cert_auth_new :2021 Making new local cert Fortinet_CA_SSL in vd root
[V][p:3689][s:168] __wad_ui_ssl_get_cert_path :314 gen cert path: /etc/cert/local/root_Fortinet_CA_SSL.cer
[V][p:3689][s:168] __wad_ui_ssl_get_cert_path :314 gen cert path: /etc/cert/local/root_Fortinet_CA_SSL.key
[E][p:3689][s:168] wad_auth_bin_load_local_priv_key :1959 bad private key
[V][p:3689][s:168] wad_cert_auth_bin_delete :2089 deleting ca_bin 0x7f5a658e3fc8
[V][p:3689][s:168] __wad_ui_ssl_get_cert_path :314 gen cert path: /etc/cert/hsm_local/root_Fortinet_CA_SSL.cer
[I][p:3689][s:168] wad_cert_auth_new :2021 Making new local cert Fortinet_Default_SSL in vd root
[V][p:3689][s:168] __wad_ui_ssl_get_cert_path :314 gen cert path: /etc/cert/local/root_Fortinet_Default_SSL.cer
[V][p:3689][s:168] __wad_ui_ssl_get_cert_path :314 gen cert path: /etc/cert/local/root_Fortinet_Default_SSL.key
[E][p:3689][s:168] wad_auth_bin_load_local_priv_key :1959 bad private key
[V][p:3689][s:168] wad_cert_auth_bin_delete :2089 deleting ca_bin 0x7f5a658e4038
[V][p:3689][s:168] __wad_ui_ssl_get_cert_path :314 gen cert path: /etc/cert/hsm_local/root_Fortinet_Default_SSL.cer
[V][p:3689][s:168] wad_webproxy_global_load_ca_cert :3116 load user setting cert for vd=root, ca/cert = /Fortinet_Default_SSL
[I][p:3689][s:168] wad_cert_auth_new :2021 Making new local cert Fortinet_Default_SSL in vd root
[V][p:3689][s:168] __wad_ui_ssl_get_cert_path :314 gen cert path: /etc/cert/local/root_Fortinet_Default_SSL.cer
[V][p:3689][s:168] __wad_ui_ssl_get_cert_path :314 gen cert path: /etc/cert/local/root_Fortinet_Default_SSL.key
[E][p:3689][s:168] wad_auth_bin_load_local_priv_key :1959 bad private key
[V][p:3689][s:168] wad_cert_auth_bin_delete :2089 deleting ca_bin 0x7f5a658e40a8
[V][p:3689][s:168] __wad_ui_ssl_get_cert_path :314 gen cert path: /etc/cert/hsm_local/root_Fortinet_Default_SSL.cer
[E][p:3689][s:168] wad_ssl_cert_get_ca :1895 failed to load ca, dio_prof = 0x7f5a65d95148
[V][p:3689][s:168] wad_ssl_port_update_cert_mode :7185 wsp(0x7f5a6587d048/7) failed to get ca!
[I][p:3689][s:168] wad_ssl_port_close :23360 sp=0x7f5a6587d048/7 state=0, half=0
[I][p:3689][s:168] wad_ssl_negotiate_close :2782 nego=0x7f5a65b7d168
[I][p:3689][s:168] wad_ssl_port__open :23866 wsp=(nil)/0 SSL-port open fail type=7 port=0x7f5a65895190 vd=0 svr=172.16.200.55:443: update-cert fail
[I][p:3689][s:168] wad_tcp_port_proc_end :827 tcp=0x7f5a65895048 socket=129 good=0 both ends closed.
The issue has been reported, and the fix is scheduled to be released in the upcoming release of v7.6.5.
Changing the inspection mode from proxy-based to flow-based temporarily fixes this issue.
|
