Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
miciti
Contributor

Created on ‎07-22-2024 05:14 AM Edited on ‎07-22-2024 05:49 AM

FortiClient EMS: deep inspection web filter certificate

Hello everyone,

I am working on implementing FortiClient 7.2.4 trial.

I did import a web filter profile from our FortiGate and enabled ssl deep inspection.

 

Now it does not seem that FortiClient EMS imports the SSL inspection certificate which is used from FortiGate (and trusted by the clients).

 

I did not find any setting to let me control the certificate used for ssl deep inspection in FortiClient EMS... Anyone knowing where to set the certificate used for deep inspection in FortiClient EMS?

 

Edit: Ok seems like forcing to install the FortiClient extension gets rid of invalid ssl certificate warnings. Is this the way to go then?

But I still get certificate warnings when starting Outlook... So how do I set this up correctly?

1334
0 Kudos
6 REPLIES 6
amrit
Staff
Staff

Created on ‎07-23-2024 08:22 AM Edited on ‎07-23-2024 08:26 AM

The fortigate deep inspection certificate must be installed on the end user’s  machine under the truster root ca certificates 

You can push the deep inspection certificates using EMS , Please check this doc

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/989515/allow-deep-inspection-certifi...

Amritpal Singh
1277
miciti
Contributor
In response to amrit

Created on ‎07-24-2024 05:00 AM

I already have a running setup with a FortiGate and deep inspection profile. 

This is not my problem. 

 

It seems like FortiClient EPP/APT deep inspection using a seperate "FortiClient certificate" which is untrusted by the clients. 

1246
0 Kudos
rahulkaushik-22
Staff
Staff

Created on ‎07-24-2024 06:53 AM

Hi @miciti

If you are seeing the certificate warning when accessing the website then simply check the certificate details to find the CA who signed it. 

Refer to the article: https://www.globalsign.com/en/blog/how-to-view-ssl-certificate-details
Certificate details let you know whether CA is Fortigate or something else.

Regards, 
Rahul Kaushik

 

 





 

MR RAHUL K KAUSHIK
1233
miciti
Contributor
In response to rahulkaushik-22

Created on ‎07-24-2024 07:07 AM

Hi,

thank you very much for your replies!

I tried to reproduce the issue get a screenshot from the "FortiClient" cert issued by "Fortinet support" that produced the certificate error but it seems the issue was fixed somehow. Maybe there was a configuration error in EMS or the web filter sync to FortiGate was broken, do not know but for now it is working as intended.

1226
miciti
Contributor
In response to rahulkaushik-22

Created on ‎07-25-2024 04:09 AM Edited on ‎07-25-2024 04:10 AM

Hi,

today the issue appeared again. This time I took a screenshot from the certificate.

There is a FortiClient certificate issued by fortinet support...

 

This certificate is definitely not used by my FortiGate when doing SSL inspection.


cert1.pngcert2.png

1181
0 Kudos
miciti
Contributor

Created on ‎08-01-2024 10:36 PM

Anyone here having an idea? I would gladly solve that before buying licenses for all our computers... (currently on trial, issue apperas on all three test computers)

1068
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.