Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
burhanafridi603
New Contributor

SSL Deep Inspection create Internet issue for Smartphones.

Hello Everyone

I am using fortigate 60F Firewall and i have enables SSL Deep packet inspection i have installed certificate on almost all devices, however , Smartphone devices giving internet access as soon as I activate any security profile such antivirus, ips etc.

I even installed Certificate on mobile devices but still an issue.

Burhan Uddin
Burhan Uddin
13 REPLIES 13
Markus_M
Staff
Staff

Hi Burhan,

 

deep inspection (DPI) generally is difficult with unmanaged clients like BYOD devices, smartphones, often are.

You may be able to check with an Android app "pcapdroid" to create a packet capture per app when you get this displayed. It could be that your FortiGate is not sending the intermediate CA certificate that you might have/need and the client needs this.

To verify a certificate the client will also need to complete a chain of certificates.

Server certificate > intermediate certificate(s) > Root CA

A pcap will show this easier (if the TLS version is 1.2 or lower).

Quick idea is, if you have the intermediate, install it on the FortiGate certificate/CA store and FortiGate should automatically send it.

 

Even though I have seen the Androids causing trouble with this, but there is a good change I might not have it done right in the past.

 

Best regards,

 

Markus

 

 

burhanafridi603

Thanks Markus_M for your response.

 

I have installed only Fortinet_CA_SSL Certificate on all my devices, which I have downloaded from SSL/SSH Inspection Profile as shown in attached image.

 

The same certificate I have installed on laptop and Desktop as well as Android devices.

Please tell If i am wrong or do i have to download any other certificate from Fortinet firewall.


Also I will try with pcapdroid 

 

SSL Certificate.jpg

 

Burhan Uddin
Burhan Uddin
Markus_M

Hi Burhan,

 

yes, that certificate is correct. Needs to be installed on the client's trusted root cert store.

What exact(!) error does your browser give you when you get warnings?

 

Best regards,

 

Markus

burhanafridi603

I installed certificate in trusted root CA , the error it shows on mobile devices as a popup that some apps will not work and Apps like linkedin, tiktok is not working even there is no application blocked in app profile.

What i have to do is create a rule to not inspect the apps such as linkedin and titkok some others.

Burhan Uddin
Burhan Uddin
Markus_M

What exact error do you receive?

 

Best regards,

 

Markus

burhanafridi603

when I opened app it say network anomalies please check your internet connection.

Burhan Uddin
Burhan Uddin
burhanafridi603

These are the type of Error we are receiving 

 

Screenshot_20220813-100652.jpgScreenshot_20220813-131435__01.jpg

Burhan Uddin
Burhan Uddin
Jirka1

Hello,

the problem is that some applications (such as Binance, etc.) do not use a central certificate store on the device, but use their own certificate. The only option is to create an SSL exception on FGT.

 

Jirka

sjoshi
Staff
Staff

Dear burhanafridi603,

 

Thank you for posting to the Fortinet Community Forum.

 

Problem Description:-
SSL Deep Inspection create Internet issue for Smartphones.

As per your description you are facing internet issue for smartphone if you enable deep inspection in the policy

Please confirm whether you have install the deep inspection certificate and its CA cert in the smart phones
Are you facing issue with windows PC in the same subnet?
Please share the policy configuration.
Also can you share the snapshot of the error you are getting in your smartphones. Is the issue for all smartphones or only few users

 

Let us know if this helps.

Thanks

Salon Raj Joshi
Labels
Top Kudoed Authors