Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
damianhlozano
Contributor

Created on ‎03-21-2022 07:50 AM

Fortigate is giving its own certificate when using certificate-inspection

Hello team!!

 

I have the following issue with a fortigate 60F (firmware 6.4.4)

We have all the rules from LAN to WAN, with "Certificate-inspection", no one with "Full-inspection", and the "Certificate-inspection" profile is the default one.

Sometimes, clients are having problems browsing in the internet, because Fortigate is giving to user its own certificate and it is not trusted in clients

I know a possible solution is to install the fortigate certificate in clients but I prefer to know why is happening this

Do you know why fortigate could give its own certificate to clients even using default "Certificate-inspection" profile?

 

Thanks in advance.

Regards,

Damián

Damián Lozano
Damián Lozano
Labels:
3958
0 Kudos
1 Solution
damianhlozano
Contributor

Created on ‎03-23-2022 01:47 PM

Finally changed the protocol and port for fortiguard connections and worked

config system fortiguard
   set fortiguard-anycast disable
   set protocol udp
   set port 8888
   set sdns-server-ip 208.91.112.220
end 

 

Thanks!

Damián Lozano

View solution in original post

Damián Lozano
3878
9 REPLIES 9
anikolov
Staff
Staff

Created on ‎03-22-2022 03:18 AM

Hello Damian,

 

I believe we have the answer for your question in the KB article below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Certificate-error-when-accessing-blocked-p...

 

Please let me know if you need further explanation.

 

Regards,

Aleksandar Nikolov
3879
Debbie_FTNT
Staff
Staff

Created on ‎03-22-2022 03:53 AM

Hey Damián,

to clarify Aleksandar's update:

- the Fortigate may be blocking the connection for some reason

- if the FortiGate blocks something, it displays a replacement message it hosts itself

-> this replacement message will use the FortiGate's own certificate

- this is entirely independent of deep-inspection or certificate-inspection happening

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
3876
damianhlozano
Contributor
In response to Debbie_FTNT

Created on ‎03-22-2022 05:27 AM

Thank you both for your answers, but Fortigate is not blocking anything

The issue happens with any page but the same page with the issue sometimes is working fine

For example, today tried to access login.microsoft.com and did not work, after 5 minutes without change anything in the fortigate, it started to work.

Someone told me that the issue is not happening in Edge, only in Chrome

Any idea?

 

Regards,

Damián

Damián Lozano
Damián Lozano
3870
0 Kudos
damianhlozano
Contributor

Created on ‎03-22-2022 05:48 AM

I just see that Fortigate is blocking QUIC with application control, but the category where this belong, was configured as monitor, I just change this to allow

Why can this block an application with action "Monitor"?

 

Regards,

Damián

Damián Lozano
Damián Lozano
3868
0 Kudos
damianhlozano
Contributor
In response to damianhlozano

Created on ‎03-22-2022 05:51 AM

Change this to "Allow" does not solve the issue

QUIC still being blocked by application control

Any idea?

 

Regards

Damián

Damián Lozano
Damián Lozano
3865
0 Kudos
damianhlozano
Contributor

Created on ‎03-22-2022 06:36 AM

I just see another error

In web filter logs: "all Fortiguard servers failed to respond"

I think maybe this is the issue

I will continue with the ticket in support.fortinet.com

 

Thanks

Damián

Damián Lozano
Damián Lozano
3859
0 Kudos
Debbie_FTNT
Staff
Staff
In response to damianhlozano

Created on ‎03-22-2022 07:17 AM

Hey Damián,

if your FortiGate can't reach FortiGuard, then it is likely that your webfiltering is blocking everything.

-> webfilter relies on reaching FortiGuard servers for category information (there is a cache on FortiGate, but it doesn't hold that much information)

-> you probably have 'Allow websites when rating error occurs' disabled:

Debbie_FTNT_0-1647958609531.png

If that ssetting is turned off, then FortiGate will block the connection, and (try to) present a block page, using its own certificate

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
3852
0 Kudos
damianhlozano
Contributor
In response to Debbie_FTNT

Created on ‎03-22-2022 07:23 AM

Yes, this is the problem, occurs with every site but not allways, sometimes

I know about this option (Allow website when a rating error ocurred) and I enabled it some minutes ago.

I need to troubleshoot fortiguard connectivity issues but I will continue with fortigate support

Thanks

Damián Lozano
Damián Lozano
3850
0 Kudos
damianhlozano
Contributor

Created on ‎03-23-2022 01:47 PM

Finally changed the protocol and port for fortiguard connections and worked

config system fortiguard
   set fortiguard-anycast disable
   set protocol udp
   set port 8888
   set sdns-server-ip 208.91.112.220
end 

 

Thanks!

Damián Lozano
Damián Lozano
3879
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.