- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: SSL Inspection Exchange online
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL Inspection Exchange online
So, we're having an issue with out outlook clients popping up a certificate warning and having to reconnect several times a day. The certificate is the factory default, not the SSL certificate we have configured for deep inspection. Fortinet support has not been able to help us and keeps trying to reinstall the SSL certificate (used for deep inspection) on the affected computers. After looking through the logs I noticed we have SSL anomalies on some traffic to Microsoft. It seems the certificates they are using for several of their web servers are valid with a date of over 1 year, however, fortigate responds back that the certificate is "re-signed as untrusted, certificate-status: untrusted". I've tried using my cell phone with the same URL and it says "server certificate could not be trusted", chrome on an internal PC (after microsoft SSL exemption) now says, "NET::ERR_CERT_VALIDITY_TOO_LONG". Which reaffirms my belief that the SSL cert is valid for too long now and is causing the error. This would require microsoft to re-key all of these SSL certs...
The certificate being used by microsoft is longer than 1 year. Not sure if the rules regarding SSL/TLS certificates being valid for only 1 year is affecting how browsers and the fortigate see this certificate as being untrusted.
Why the fortigate is then using the factory default certificate for ssl inspection might be by design. But I'm not sure on this. The SSL error can be reproduced outside and inside my network, so I don't think its a fortigate issue. I've exempted microsoft sites from being SSL inspection, and i'll see if I get the outlook popup again.
“When things go wrong, don't go with them.”
“When things go wrong, don't go with them.”
Labels:
- Labels:
-
FortiGate
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
By default, with SSL deep-inspection when FGT fails to authenticate the server certificate (i.e. untrusted root CA, expired, self-signed certificate) it will resign the certificate with "Fortinet_CA_Untrusted". In CLI you can configure it as follows:
config firewall ssl-ssh-profile
edit <profile_name>
set untrusted-caname "Fortinet_CA_Untrusted" ----> You can select different cert here
end
based on the firmware version, there are a couple of additional settings on what to do when untrusted cert is received, for example in 7.0.5:
config firewall ssl-ssh-profile
edit "test"
config https
set ports 443
set status deep-inspection
set expired-server-cert block
set revoked-server-cert block
set untrusted-server-cert allow
set cert-validation-timeout allow
set cert-validation-failure block
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the information. I made those changes above and we still get the error. I even exempted the sites and we still got the error. Fortinet support said the problem may have to do with the WAD crashes on signal 11 unresolved issue on 7.05. It would still block the sites after the crash even though exempted. I did a work around and removed SSL deep inspection for all Microsoft sites. So far so good. We'll see if that narrows the problem down. If so, then upgrading to 7.2 will fix the numerous WAD problems in version 7.
“When things go wrong, don't go with them.”
“When things go wrong, don't go with them.”
Related Posts
- How to enable FortiMail ARC Sealing 453 Views
- How to allow recaptcha without google... 447 Views
- Fortimail and Exchange Hybrid - LDAP... 455 Views
- Forticlient EMS block issue 465 Views
- I created SSL inspection profile and... 760 Views
Labels
-
FortiGate
6,412 -
FortiClient
1,279 -
5.2
801 -
5.4
639 -
FortiManager
557 -
6.0
416 -
FortiAnalyzer
407 -
5.6
362 -
FortiSwitch
329 -
FortiAP
322 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
238 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
102 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
81 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
IPsec
61 -
Wireless Controller
56 -
SSL-VPN
52 -
FortiProxy
43 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
37 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
FortiPortal
17 -
VLAN
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Routing
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
Interface
10 -
VDOM
10 -
FortiWeb v5.0
9 -
BGP
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
NAT
6 -
IP address management - IPAM
6 -
SSID
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiAuthenticator
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
Security profile
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
Web application firewall profile
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
OSPF
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
Web profile
2 -
FortiAI
2 -
Intrusion prevention
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Service
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Web rating
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Zone
1 -
Internet Service Database
1 -
System settings
1 -
Fortinet Engage Partner Program
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.