HTTPS Deep Scanning and certificate errors

Frosty · ‎02-22-2012

On my FG200B I am now running v4.0 MR3 Patch 5. I' ve been using HTTPS content inspection ever since v4.0 MR2 Patch 2 and we' ve always had intermittent problems with it. Most of the time it works fine, but intermittently we get a browser error warning the the certificate is not trusted; if we proceed anyway, things always work, but I am struggling to understand why this problem exists and why it is intermittent. I have exported the FGT' s main certificate named " Fortinet_Factory" and also the signing CA certificate named " Fortinet_CA" . These have been deployed to all PCs using a GPO. I' ve also tried adding the certificate named " Fortinet_CA_SSLProxy" to this list of certs rolled out via GPO (didn' t seem to make a difference). Can anyone explain to me, in hopefully simple terms: (1) why I am getting these errors with the HTTPS Deep Scanning; (2) why the problem seems to be intermittent; and (3) is there anything I can do to permanently fix it, or am I stuck with it I have a support ticket open at the moment on this, and Support have referred me to a document " UTM Guide version 4.3" pg194 ... which I have read several times now ... but I still do not understand why it is the case that the problem is intermittent.

Carl_Wallmark · ‎02-23-2012

Hi Stephen, Its only the " Fortinet_CA_SSLProxy" you need to push to your clients, and it should be installed in the " Trusted root" under " Computer" . When it works, you should be able to go to a HTTPS page, and verify the certificate, should say something like: Issued to: accounts.gmail.com issued by: FortiGate CA

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

Frosty · ‎03-01-2012

OK, I can confirm that the " Fortinet_CA_SSLProxy" cert is installed on my PC in the Trusted Root Certification Authorities store. Yet I was still getting occasional SSL trust errors in my browser. I opened a case with Fortinet and was advised that this issue is a " side effect" of the SSL Content Inspection (" Deep Scanning" ) function. So ... I turned off that option ... but ... Even with Deep Scanning turned off I am STILL getting occasional SSL trust-related errors. So I am starting to wonder whether this is a fault that is not due to the Fortigate at all, but might be caused by something else ... either the time on my PC vs the remote server is out of sync, or maybe the Fortigate' s date/time is not quite right, or something else. Mystified!

Kalpesh · ‎03-03-2012

Hi, Can Anyone tell me how to block web sites in fortigate 110 c ? also please send me if any documentation available for whole device configuration

himani_FTNT · ‎06-25-2012

Build: 4 MR3 patch 7 Also, Try enableing the " deep scan" in the firewall protocol potion under https. config https set port 443 set options allow-invalid-server-cert unset post-lang set deep-scan enable Upload the certificate Fortinet_CA to all the three browser IE, FFox and chrome.

Frosty · ‎03-12-2012

I have re-opened my SSL certificate errors issue with Fortinet Support. It still looks to me like every now and again the FG200B is throwing an invalid certificate at the browser. I have managed to screen cap these and now will wait to see what the Fortinet software engineers can tell me about them.

Matthijs · ‎03-13-2012

When you receive an error and continue you should be able to view the certificate and see what the exact error message is (for example certificate is valid but not for the requested domain or certificate has expired).

Frosty · ‎03-13-2012

The certificate the browser is given looks like this ... the identity is the ID of the FG200B and it is self-signed (so isn' t signed by the SSL Proxy cert in the FG200B). Because it is self-signed the browser will never accept it is valid, even if I import it into the Trusted Certification Authorities store.

Frosty · ‎04-26-2012

More news in what is rapidly becoming a saga. Found an extra location where HTTPS scanning might have been happening (in an Antivirus profile). Removed this. Didn' t fix the problem. On the advice of Fortinet Support we took a backup of the config, formatted the boot disk of the 200B, reflashed new firmware (MR3 Patch 5) and then reloaded our config. Problem is still not fixed. Did note that now when the error occurs the certificate prsented is different ... start/end date is not the same ... and the start date is the date we did the reload of the firmware. So the firewall generates its own internal certificate when installing firmware, and for some reason when browsing websites it occasionally presents this internal cert to the browser instead of the cert from the website in question.

Carl_Wallmark · ‎04-27-2012

I think you got the wrong cert, the SSL_Proxy cert is the same on all Fortigates, its not unique. The details should be: Certificate Name Fortinet_CA_SSLProxy Issuer C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FortiGate CA, emailAddress = support@fortinet.com Subject C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FortiGate CA, emailAddress = support@fortinet.com Valid From 2008-10-18 00:46:39 GMT Valid To 2028-10-13 00:46:39 GMT Version 3 Serial Number 00 Extension Name: X509v3 Basic Constraints Critical: no Content: CA:TRUE

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

HTTPS Deep Scanning and certificate errors

Nominate a Forum Post for Knowledge Article Creation