Hello team!!
I have the following issue with a fortigate 60F (firmware 6.4.4)
We have all the rules from LAN to WAN, with "Certificate-inspection", no one with "Full-inspection", and the "Certificate-inspection" profile is the default one.
Sometimes, clients are having problems browsing in the internet, because Fortigate is giving to user its own certificate and it is not trusted in clients
I know a possible solution is to install the fortigate certificate in clients but I prefer to know why is happening this
Do you know why fortigate could give its own certificate to clients even using default "Certificate-inspection" profile?
Thanks in advance.
Regards,
Damián
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Finally changed the protocol and port for fortiguard connections and worked
config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set sdns-server-ip 208.91.112.220
end
Thanks!
Hello Damian,
I believe we have the answer for your question in the KB article below:
Please let me know if you need further explanation.
Regards,
Hey Damián,
to clarify Aleksandar's update:
- the Fortigate may be blocking the connection for some reason
- if the FortiGate blocks something, it displays a replacement message it hosts itself
-> this replacement message will use the FortiGate's own certificate
- this is entirely independent of deep-inspection or certificate-inspection happening
Thank you both for your answers, but Fortigate is not blocking anything
The issue happens with any page but the same page with the issue sometimes is working fine
For example, today tried to access login.microsoft.com and did not work, after 5 minutes without change anything in the fortigate, it started to work.
Someone told me that the issue is not happening in Edge, only in Chrome
Any idea?
Regards,
Damián
I just see that Fortigate is blocking QUIC with application control, but the category where this belong, was configured as monitor, I just change this to allow
Why can this block an application with action "Monitor"?
Regards,
Damián
Change this to "Allow" does not solve the issue
QUIC still being blocked by application control
Any idea?
Regards
Damián
I just see another error
In web filter logs: "all Fortiguard servers failed to respond"
I think maybe this is the issue
I will continue with the ticket in support.fortinet.com
Thanks
Damián
Hey Damián,
if your FortiGate can't reach FortiGuard, then it is likely that your webfiltering is blocking everything.
-> webfilter relies on reaching FortiGuard servers for category information (there is a cache on FortiGate, but it doesn't hold that much information)
-> you probably have 'Allow websites when rating error occurs' disabled:
If that ssetting is turned off, then FortiGate will block the connection, and (try to) present a block page, using its own certificate
Yes, this is the problem, occurs with every site but not allways, sometimes
I know about this option (Allow website when a rating error ocurred) and I enabled it some minutes ago.
I need to troubleshoot fortiguard connectivity issues but I will continue with fortigate support
Thanks
Finally changed the protocol and port for fortiguard connections and worked
config system fortiguard
set fortiguard-anycast disable
set protocol udp
set port 8888
set sdns-server-ip 208.91.112.220
end
Thanks!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1548 | |
1032 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.