Help
FortiSASE
FortiSASE delivers both a consistent security posture and an optimal user experience for users working from anywhere. Secure your hybrid workforce by closing security gaps, plus simplify operations.
auppal
Staff
Staff

Created on ‎04-03-2024 09:08 PM Edited on ‎07-24-2024 01:53 PM By Moderator

Article Id 308261

Technical Tip: Hosts with expired certificates being blocked by FortiSASE

Description

 

This article describes and presents a solution for, a common scenario where users connected to FortiSASE try to access a destination host with an expired certificate, and the connection is blocked. The blocked destination host could be an internal or external host with an expired certificate.

When this situation occurs, by default, a block page similar to the one shown below will be displayed to the user:

 

308261-1-block-page-example.png

 

Additionally, a log with the Event Type of 'ssl-anomaly', Event Subtype of 'certificate-anomaly', and Message of 'SSL connection is blocked, certificate-status:expired' is expected under Analytics -> Security -> SSL Inspection:

 

308261-2-log-example-1.png

 

308261-2-log-example-2.png


date=2024-07-24 time=17:17:38 id=7395252759596892192 itime="2024-07-24 17:17:40" euid=1243 epid=104 dsteuid=3 dstepid=101 logver=702086296 sfsid=7395252787519154087 type="utm" subtype="ssl" level="warning" sessionid=240354 policyid=81 srcip=100.65.32.1 dstip=104.154.89.105 srcport=59814 dstport=443 proto=6 logid=1700062303 service="SSL" user="user@example.com" action="blocked" eventtime=1721841457918915510 srcintfrole="undefined" dstintfrole="undefined" srcintf="ssl.root" dstintf="port4" eventtype="ssl-anomaly" profile="Owner" hostname="expired.badssl.com" certhash="forticlient" msg="SSL connection is blocked, certificate-status: expired." tz="+0000" srcdomain="3144968954924B1EA6FB4C79FB7BBABB" vrf=10 eventsubtype="certificate-anomaly" srcuuid="4a99962a-2a8b-51ef-bc30-e81ae7f275f8" dstuuid="e9aa3a7e-0162-51ee-d7e8-23f0957fb433" direction=outbound policytype="policy" srccountry="Reserved" dstcountry="United States" poluuid="4471cb3a-455e-51ef-127d-967ee915c0c1" devid="FGVMPGTMxxxxxxxx" vd="root" csf="0hqzec0p" dtime="2024-07-24 17:17:38" itime_t=1721841460 devname="San_Jose_California_USA"

Scope

 

FortiSASE.

Solution

 

  1. In the SSL Inspection logs, identify the Policy ID(s) affected. Note the column header for Policy ID is not enabled by default and has to be enabled by the FortiSASE administrator.

 

308261-3-policyID-1.png

 

  1. Navigate to Configuration -> Policies. Between Internet Access and Private Access policies, locate the matching policy based on the policy ID(s) as determined in Step 1. For each policy, note the profile group that is being used in these policies.

     

    308261-3-policyID-2.png

     

     

  2. Navigate to Configuration -> Security. Between Internet Access and Private Access profile groups, locate the matching profile group(s) from Step 2. Under the 'Configure SSL' menu, change the 'Expired certificates' setting from Block to Allow. Note this change will apply to all policies that are utilizing these profile group(s). If the desired result is to only allow expired certificates for specific destination hosts, a new, specific policy and profile group should be created instead.

     

    308261-3-policyID-3.png

     


    308261-4-expired-certificates-allow.png

898
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.