Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
miciti
Contributor

FortiClient EMS: deep inspection web filter certificate

Hello everyone,

I am working on implementing FortiClient 7.2.4 trial.

I did import a web filter profile from our FortiGate and enabled ssl deep inspection.

 

Now it does not seem that FortiClient EMS imports the SSL inspection certificate which is used from FortiGate (and trusted by the clients).

 

I did not find any setting to let me control the certificate used for ssl deep inspection in FortiClient EMS... Anyone knowing where to set the certificate used for deep inspection in FortiClient EMS?

 

Edit: Ok seems like forcing to install the FortiClient extension gets rid of invalid ssl certificate warnings. Is this the way to go then?

But I still get certificate warnings when starting Outlook... So how do I set this up correctly?

6 REPLIES 6
amrit
Staff
Staff

The fortigate deep inspection certificate must be installed on the end user’s  machine under the truster root ca certificates 

You can push the deep inspection certificates using EMS , Please check this doc

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/989515/allow-deep-inspection-certifi...

Amritpal Singh
miciti

I already have a running setup with a FortiGate and deep inspection profile. 

This is not my problem. 

 

It seems like FortiClient EPP/APT deep inspection using a seperate "FortiClient certificate" which is untrusted by the clients. 

rahulkaushik-22

Hi @miciti

If you are seeing the certificate warning when accessing the website then simply check the certificate details to find the CA who signed it. 

Refer to the article: https://www.globalsign.com/en/blog/how-to-view-ssl-certificate-details
Certificate details let you know whether CA is Fortigate or something else.

Regards, 
Rahul Kaushik

 

 





 

MR RAHUL K KAUSHIK
miciti

Hi,

thank you very much for your replies!

I tried to reproduce the issue get a screenshot from the "FortiClient" cert issued by "Fortinet support" that produced the certificate error but it seems the issue was fixed somehow. Maybe there was a configuration error in EMS or the web filter sync to FortiGate was broken, do not know but for now it is working as intended.

miciti

Hi,

today the issue appeared again. This time I took a screenshot from the certificate.

There is a FortiClient certificate issued by fortinet support...

 

This certificate is definitely not used by my FortiGate when doing SSL inspection.


cert1.pngcert2.png

miciti
Contributor

Anyone here having an idea? I would gladly solve that before buying licenses for all our computers... (currently on trial, issue apperas on all three test computers)

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors