Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Invalid CA Root Certificate when SSL Inspection is enabled
I have a FG100D with FortiOS 5.0.7 with SSL Inspection Enabled. I' ve choose in my DeepInspection Policy Fortigate_CA_SSLProxy as Signing CA certificate.
But when I try to access to a secure web site, the client browser get a certificated issued by FG100DXXXXXXX (xxxxx is my serial number) instead of a certificated issued by Fortigate CA. Also the subject name is invalid (it doesn' t show the url of the visited site)
i' ve create two Deep Inspection Policies with the same result - also I explicitily choose Fortigate_CA_SSLProxy from CLI -( config firewall deep... edit xxx set caname Fortigate_CA_SSLProxy)_. Is this some kind of bug from 5.0.7??? I don' t want to rollback to 5.0.6 for heartbleed.
Regards
Rodrigo
Rodrigo
RegardsRodrigo
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am seeing the same, but only without deep inspection (ie I have the SSL Inspection policy enabled *and* I have ' scan encrypted connections' unticked).
It is annoying as I don' t need deep scanning but do need to protect against https access for certain sites.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When not using deep SSL inspection there is no man-in-the-middle performed so allowed pages should not show any warnings, however blocked pages will show warnings... this is due to the Fortigate needing to replace that HTTPS page with the blocked page message which must be delivered over HTTPS, currently the Fortigate presents its own certificate (with CN=serial#) thus the warning.
I believe a new feature in 5.2 will give the ability for page reset and/or m-i-t-m only for blocked pages... obviously to bypass warnings this would still require loading the Fortigate or DC CA certificate into the browser/Windows
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There' s a CLI command that can disable the replacement-message for HTTPS websites and the browser’s time-out message will be showed instead:
config webfilter profile
edit " your webfilter profile"
set https-replacemsg disable
end
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Bromont, ykonstantakopoulos.
I don' t recall seeing the FGT S/N certificate before for blocked pages, only the CA Proxy certificate (which I have loaded on my test PC' s), maybe I have always had deep inspection on in the past?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please I need help ASAP, Please.
Most of our company websites are showing unsecured connection (invalid CA) instead of displaying the right CA information it insteads shows our fortigate serial number. Please help me out please
MT
MT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We just upgraded from 5.4.5 to 6.0.2. we can't downgrade because we might cause more harm than good so please what could be the reason for this?
MT
MT