Configuration:

FortiProxy is configured as an explicit proxy, and the certificate-inspection profile is in use:

Symptoms:

The end user might face the issue, reporting that the browser observed that the certificate authority for well-known websites is being reported as invalid:

Basic troubleshooting on FortiProxy indicates that Internet access is healthy:

Troubleshooting:

It is possible to enable debugging to check on the issue:

diagnose debug console timestamp enable

diagnose debug application fnbamd -1

diagnose wad filter src <user_IP>

diagnose wad debug enable level verbose

diagnose wad debug enable category all

diagnose debug enable

If the following is being observed, this means that there is an issue with the DNS server's reachability:

[I]2025-08-03 19:39:41.988243 [p:4445] wad_dns_parse_name_resp :205 0: DNS response received for remote host a.clarity.ms req-id=0 ipv4=1
[V]2025-08-03 19:39:41.988258 [p:4445] wad_dns_parse_name_resp :324 a.clarity.ms: resp_type=0 notify=1 cdata=0 N/A
[I]2025-08-03 19:39:41.988269 [p:4445][s:1851437640][r:7995] wad_http_dns_request_done :14039 [0x7f266d218048] DNS resolved: N/A
[V]2025-08-03 19:39:41.988301 [p:4445][s:1851437640][r:7995] wad_tcp_port_out_read_block :1397 tcp_port 0x7f267901e4b0 fd=45 on=0 n_out_block=1 in(/out)_shutdow
n=0/0 closed=0 state=2.
[V]2025-08-03 19:39:41.988307 [p:4445][s:1851437640][r:7995] wad_tcp_port_out_read_block :1417 tcp_port=0x7f267901e4b0 transport on=0
[V]2025-08-03 19:39:41.988308 [p:4445][s:1851437640][r:7995] wad_tcp_port_transport_read_block :1356 tcp_port 0x7f267901e4b0 fd=45 on=0 n_out_block=1 in(/out)_shutdow
n=0/0 closed=0 events=0x40.
[V]2025-08-03 19:39:41.988309 [p:4445][s:1851437640][r:7995] wad_tcp_port_transport_read_block :1384 sock 45 read_block removed, turn on readability.
[V]2025-08-03 19:39:41.988331 [p:4445][s:1851437640][r:7995] wad_http_msg_strm_resume :1141 strm resumed, execute=wad_http_clt_read_req_line is_clt=1
[V]2025-08-03 19:39:41.988387 [p:4445][s:1851437640][r:7995] wad_http_req_exec_tunnel_convert :5431 hs=0x7f2673ced9d8 ssl_proc=dbkh intercept=block_req deep_scan=1 r
et=1
[I]2025-08-03 19:39:41.988398 [p:4445][s:1851437640][r:7995] wad_dump_fwd_http_resp :2848 hreq=0x7f266d218048 Forward response from Internal:

HTTP/1.1 200 Connection established
Proxy-Agent: Fortinet-Proxy/1.0

Further verification on the FortiProxy indicates that the DNS servers haven't been reachable:

It is worth noting that the behavior can be intermittent if the DNS server's reachability is intermittent. The end user might be observing the certificate error prompt while accessing Outlook App, or browsing a well-known website, but it resolves with refreshing the page without any changes made to the proxy policy.

It has been confirmed that DNS server stability is important when validating a web server certificate. Inability of the DNS server to resolve the FQDN will lead to certificate validation failure due to the proxy server is unable to retrieve the certificate chain or OSCP.

The main reason is that the certificate specified in certificate-inspection does not import to the user's browser. To display an error message when FortiProxy has an issue connecting to the DNS Server, it has to import the certificate into to user's browser.

Any error messages can be displayed properly to the user's browser (sample screenshots) whenever the Explicit Proxy Service faces DNS issue, block page an etc.