Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
damianhlozano
Contributor

Fortigate is giving its own certificate when using certificate-inspection

Hello team!!

 

I have the following issue with a fortigate 60F (firmware 6.4.4)

We have all the rules from LAN to WAN, with "Certificate-inspection", no one with "Full-inspection", and the "Certificate-inspection" profile is the default one.

Sometimes, clients are having problems browsing in the internet, because Fortigate is giving to user its own certificate and it is not trusted in clients

I know a possible solution is to install the fortigate certificate in clients but I prefer to know why is happening this

Do you know why fortigate could give its own certificate to clients even using default "Certificate-inspection" profile?

 

Thanks in advance.

Regards,

Damián

1 Solution
damianhlozano
Contributor

Finally changed the protocol and port for fortiguard connections and worked

config system fortiguard
   set fortiguard-anycast disable
   set protocol udp
   set port 8888
   set sdns-server-ip 208.91.112.220
end 

 

Thanks!

View solution in original post

9 REPLIES 9
anikolov
Staff
Staff

Hello Damian,

 

I believe we have the answer for your question in the KB article below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Certificate-error-when-accessing-blocked-p...

 

Please let me know if you need further explanation.

 

Regards,

Aleksandar Nikolov
Debbie_FTNT
Staff
Staff

Hey Damián,

to clarify Aleksandar's update:

- the Fortigate may be blocking the connection for some reason

- if the FortiGate blocks something, it displays a replacement message it hosts itself

-> this replacement message will use the FortiGate's own certificate

- this is entirely independent of deep-inspection or certificate-inspection happening

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
damianhlozano

Thank you both for your answers, but Fortigate is not blocking anything

The issue happens with any page but the same page with the issue sometimes is working fine

For example, today tried to access login.microsoft.com and did not work, after 5 minutes without change anything in the fortigate, it started to work.

Someone told me that the issue is not happening in Edge, only in Chrome

Any idea?

 

Regards,

Damián

damianhlozano
Contributor

I just see that Fortigate is blocking QUIC with application control, but the category where this belong, was configured as monitor, I just change this to allow

Why can this block an application with action "Monitor"?

 

Regards,

Damián

damianhlozano

Change this to "Allow" does not solve the issue

QUIC still being blocked by application control

Any idea?

 

Regards

Damián

damianhlozano
Contributor

I just see another error

In web filter logs: "all Fortiguard servers failed to respond"

I think maybe this is the issue

I will continue with the ticket in support.fortinet.com

 

Thanks

Damián

Debbie_FTNT

Hey Damián,

if your FortiGate can't reach FortiGuard, then it is likely that your webfiltering is blocking everything.

-> webfilter relies on reaching FortiGuard servers for category information (there is a cache on FortiGate, but it doesn't hold that much information)

-> you probably have 'Allow websites when rating error occurs' disabled:

Debbie_FTNT_0-1647958609531.png

If that ssetting is turned off, then FortiGate will block the connection, and (try to) present a block page, using its own certificate

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
damianhlozano

Yes, this is the problem, occurs with every site but not allways, sometimes

I know about this option (Allow website when a rating error ocurred) and I enabled it some minutes ago.

I need to troubleshoot fortiguard connectivity issues but I will continue with fortigate support

Thanks

damianhlozano
Contributor

Finally changed the protocol and port for fortiguard connections and worked

config system fortiguard
   set fortiguard-anycast disable
   set protocol udp
   set port 8888
   set sdns-server-ip 208.91.112.220
end 

 

Thanks!

Labels
Top Kudoed Authors