Hi all, We have 2 X 100D Hardware Appliances running firmware version 6.0.4 (build 0231 GA) in NAT (Flow-based) Mode (HA: Active-Passive).
They primarily protect our wireless network which is open to use by staff and visiting members of the public. In general we do not do full SSL inspection.
However, I have been testing 'Full SSL Inspection' on a few devices. I have downloaded the Fortinet_CA_SSL certificate from the firewall appliance and installed it on my test platforms (Windows & Android).
On the whole, most things appear to work fine except Google Play Store on the Android device, it just won't connect to Google Play at all. If I revert to default SSL Certificate Inspection everything works fine.
My Web Filter Policy blockes sites categorised as Advertising and Web Analytics. My Application Control Policy also blocks Google.Ads and Google.Analytics. It should be noted that when I allow these applications Google Play still doesn't work with Full SSL Inspection enabled.
My Web Filter, Application Control and Forward Traffic Logs aren't helping much as I cannot see anything being blocked which may help with resolving this issue.
Has anyone else experienced something similar and could point me in the right direction to solving this problem? Any advice would be much appreciated.
Best regards,
John P
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello John,
Google Playstore does a thing called "Certificate Pinning" which pins the public key of their SSL Certificate to the application itself. This SSL deep-inspection will not work. The application will do a check on the certificate and if it sees that the Fortigate has resigned the original certificate, it will break the session. That is the reason it does not work. We usually have a list of domains we exempt in the SSL Certificate sensor which we know has been known to be used by applications that has Certificate Pinning.
Homing
First of all you'll want to make sure the problem is on your end and not a wider problem with Google. Check the Play Store status on a service like downdetector, for example. If a lot of users are reporting a similar problem, then chances are it's on Google's side and you'll need to wait for them to fix it.
If you suspect the problem is on the user end, you'll first want to restart your phone. It seems obvious, but this can be a quick solution to many issues. If your problem repeats, then it's time to get to work.
To start off, we want to check a couple of simple things outside of Google Play that might be affecting its performance. Make sure that your date and time settings are correct and that your Internet connection is working properly.
Google checks your Android smartphone's date and time for the Play Store. If the store does not find a time, then it could cause some issues. Google's servers could have a tough time syncing with your device and cause your Play Store to act up.
To fix this issue, you need to go into your the Settings in your Android device. Under Systemyou should see Date and Time. Tap on this and you will see whether your phone is on the Automatic date and time provided by your network. If it isn't already then you should toggle it on.
Hello John,
Google Playstore does a thing called "Certificate Pinning" which pins the public key of their SSL Certificate to the application itself. This SSL deep-inspection will not work. The application will do a check on the certificate and if it sees that the Fortigate has resigned the original certificate, it will break the session. That is the reason it does not work. We usually have a list of domains we exempt in the SSL Certificate sensor which we know has been known to be used by applications that has Certificate Pinning.
Homing
I have deep ssl-inspection enabled and also google-play exempted from inspection. But when I open google store and tap on Install, it just keeps rounding and rounding. No progress, no error messages, and nothing blocked as per the fw logs. Any advice?
Fixed the issue. on the logs I saw *.googlevideo.com in the Certificate Name. Had to add it to the exempted addresses (by creating a new wildcard address) and it worked right away.
As for adding exceptions in ssl certificate sensor. Is this operation on the firewall or where? Is there any detailed procedure
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.