Has anyone found any documentation on Fortigate's documentation sying anithing about compatibilities between Fortigate and SHA256? We have a 240D Fortigate in 5.2.3 version.
With the deprecation of sha1 certificates, I'm now having problems with my Deep Inspection. Strange thing that even using an sha256 certificate, the Fortigate presents a sha1 certificate to the browser.
I opened a ticket with the support and they said FortiOs is compatible with sha256 since v5.2.6, bur I couldn't find any mention to that in documentation from 5.2.6 to 5.2.8.
You're right, I'm using a sha256 cert from my internal CA to use as my inspection cert.
TAC told me that I should upgrade my OS from at least 5.2.6.. I was wondering if that is true because there is no note about this matter in the changelog.
I'll try the upgrade and then I inform the results.
We are having deep inspection issues too since the deprecation of SHA1. Has only started to hit us recently on a small group of Chromebooks running Chrome OS Beta (v57), which are displaying "Weak Signature Algorithm" warnings on all HTTPS sites using the newer certificates (not just Google sites). Production devices running Chrome OS 56 and lower are fine.
If the upgrades resolves your deep inspection problem, we will follow suit.
We did the update yesterday night from 5.2.3 to 5.2.10, but have seen a little of improvements. At least at our problem.
1) Now the IE loads my certificate correctly with sha256 algorithm. Thanks MikePruet to that!
2) Our problems with inspection keeps the same. Actually the big problem here is with Google. I have 3 different behaviours with the 3 most used browsers (in flow-mode WebFilter):
a) IE loads www.google.com (or .br in my case) with my certificate and SafeSearch, but when I hit the search, he gives me a block page saying "the url is banned". Strange thing that it is not the default Web blocked page. It is like Fortigate would have been blocking me by another engine. I have attached the print.
b) Google Chrome doesn't even load the www.google.com page. Says the page took to much to respond. I printed the error as well.
c) Firefox loads the Google's page and do the search, but without my certificate, and therefore no SafeSearch. And yes, it has my certificate added it should be.
All that said, guess what? In Proxy mode all of them works perfectly!
My ticket is still opened. Just gave them some feedback of this tests.
1. Go to Security Profiles > Web Filter.
2. Determine if you wish to create a new profile or edit an existing one.
3. Select an Inspection Mode.
4. If you are using FortiGuard Categories, enable the FortiGuard Categories, select the categories and select the
action to be performed.
5. Configure any Quotas needed. (Proxy Mode)
6. Allow blocked override if required.(Proxy Mode)
7. Set up Safe Search settings and/or YouTube Education settings. (Proxy & Flow-based)
8. Configure Static URL Settings. (All Modes)
9. Configure Rating Options. (All Modes)
10. Configure Proxy Options.
11. Save the filter and web filter profile.
12. To complete the configuration, you need to select the security policy controlling the network traffic you want to
restrict. Then, in the security policy, enable Web Filter and select the appropriate web filter profile from the list.
I was concerned when you mentioned deep inspection doesn't work with Flow Based, however... we have upgraded from 5.2.3 to 5.2.10 this morning and everything works perfectly now - no more certificate errors on Chromebooks, no cert errors on Google sites, and no errors on other SSL sites (and we're using flow based policies).
Have tried in multiple browsers on our Windows machines as well. All OK now.
I should also note, we are not using the default Fortigate certificate. We generated our own SHA256 cert with an RSA of 2048 bits using OpenSSL, imported into FortiGate 600C, and added this our policies deploying to certificate stores on our devices.
We upgraded as per the recommended path 5.2.3 > 5.2.5 > 5.2.7 > 5.2.9 > 5.2.10
There are certain google domains which must be excempted, otherwise will throw errors no matter what we do. Two of them are "safebrowsing-cache.google.com" and "safebrowsing.google.com". We have added the full list to a new "Whitelist" category in web rating override. Then added this category under Exempt from SSL Inspection.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.