Invalid CA Root Certificate when SSL Inspection is enabled
I have a FG100D with FortiOS 5.0.7 with SSL Inspection Enabled. I' ve choose in my DeepInspection Policy Fortigate_CA_SSLProxy as Signing CA certificate.
But when I try to access to a secure web site, the client browser get a certificated issued by FG100DXXXXXXX (xxxxx is my serial number) instead of a certificated issued by Fortigate CA. Also the subject name is invalid (it doesn' t show the url of the visited site)
i' ve create two Deep Inspection Policies with the same result - also I explicitily choose Fortigate_CA_SSLProxy from CLI -( config firewall deep... edit xxx set caname Fortigate_CA_SSLProxy)_. Is this some kind of bug from 5.0.7??? I don' t want to rollback to 5.0.6 for heartbleed.
I am seeing the same, but only without deep inspection (ie I have the SSL Inspection policy enabled *and* I have ' scan encrypted connections' unticked).
It is annoying as I don' t need deep scanning but do need to protect against https access for certain sites.
When not using deep SSL inspection there is no man-in-the-middle performed so allowed pages should not show any warnings, however blocked pages will show warnings... this is due to the Fortigate needing to replace that HTTPS page with the blocked page message which must be delivered over HTTPS, currently the Fortigate presents its own certificate (with CN=serial#) thus the warning.
I believe a new feature in 5.2 will give the ability for page reset and/or m-i-t-m only for blocked pages... obviously to bypass warnings this would still require loading the Fortigate or DC CA certificate into the browser/Windows
There' s a CLI command that can disable the replacement-message for HTTPS websites and the browserâ€™s time-out message will be showed instead:
config webfilter profile
edit " your webfilter profile"
set https-replacemsg disable
Thanks Bromont, ykonstantakopoulos.
I don' t recall seeing the FGT S/N certificate before for blocked pages, only the CA Proxy certificate (which I have loaded on my test PC' s), maybe I have always had deep inspection on in the past?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.