Fortinet DPI

rockden · ‎12-07-2024

I have setup fortinet DPI but im getting untrusted cert error

sjoshi · ‎12-07-2024

This can be changed only via CLI as below :

config firewall ssl-ssh-profile
edit <>
set untrusted-caname "Fortinet_CA_Untrusted" --> change to certificate that you wish to use for untrusted connections
end
end

Fortigate showing the "Server certificate is re-signed as untrusted, certificate-status: untrusted" in the logs as the CA that signed the server's cert is not in the trusted store of the Fortigate.

Now from the below url
https://www.ssllabs.com/ssltest/analyze.html?d=sigupdates.marshal.com&s=152.199.6.70#whyNotTrusted

You need to import the root CA "of the website/srv" you are accessing into the FortiGate trust store
FGT have certificate store and in that store we keep root CA certs. The Root CA of the website that you are visiting is not there in the store that's why you are getting that untrusted cert

Salon Raj Joshi
Fortinet Certified Expert (FCX) | #NSE8-003459

View solution in original post

ebilcari · ‎12-07-2024

Due to the nature of DPI this is expected if the configuration is not completed. You can take a look at this article that goes into details explaining why this happens and how to complete the implementation.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

sjoshi · ‎12-07-2024

Hi,

Please check the SSL event and see what logs you are getting.

Have you install the CA cert used for DPI on the end user machine. If possible share snapshot for better understanding

Salon Raj Joshi
Fortinet Certified Expert (FCX) | #NSE8-003459

rockden · ‎12-07-2024

Yes have install the certificate on the end user.

The error I'm getting on the SSL event logs msg="Server certificate is re-signed as untrusted, certificate-status: untrusted.

And it is happening when accessing some of the website and not all the website

sjoshi · ‎12-07-2024

--> By default, FGT checks the server certificate of the destination website. When FortiGate cannot successfully authenticate the server certificate (i.e. untrusted root CA, expired, self-signed certificate) it will present the CA certificate configured via set untrusted-caname in the SSL inspection profile (default CA certificate name: Fortinet_CA_Untrusted).

Salon Raj Joshi
Fortinet Certified Expert (FCX) | #NSE8-003459

sjoshi · ‎12-07-2024

This can be changed only via CLI as below :

config firewall ssl-ssh-profile
edit <>
set untrusted-caname "Fortinet_CA_Untrusted" --> change to certificate that you wish to use for untrusted connections
end
end

Fortigate showing the "Server certificate is re-signed as untrusted, certificate-status: untrusted" in the logs as the CA that signed the server's cert is not in the trusted store of the Fortigate.

Now from the below url
https://www.ssllabs.com/ssltest/analyze.html?d=sigupdates.marshal.com&s=152.199.6.70#whyNotTrusted

You need to import the root CA "of the website/srv" you are accessing into the FortiGate trust store
FGT have certificate store and in that store we keep root CA certs. The Root CA of the website that you are visiting is not there in the store that's why you are getting that untrusted cert

Salon Raj Joshi
Fortinet Certified Expert (FCX) | #NSE8-003459

rockden · ‎12-07-2024

ok i will check

Fortinet DPI

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website