Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mksherman
New Contributor

Is there a work around for this type of SSL Error?

Hello,

We're running a Fortigate 500D firewall

Our users behind the firewall just suddenly started to see this message trying to access anything related to Google:

ssl errorssl error

I checked our IPv4 policies, and anything from inside out the WAN has App, Web, and SSL profiles applied. I suspect the problem is with the SSL profile, but it doesn't let me disable it without disabling the APP and Web filter too.
Is there a way to disable the SSL profile from the CLI or another workaround? Or, even better, an actual solution for this problem?
Sadly I cannot call support because we don't have that lic.

10 REPLIES 10
gfleming
Staff
Staff

You either have deep inspection turned on on the SSL profile. Check to make sure. You should be using certificate inspection only. 

 

Now sometimes FGT will need to present a message even with just cert inspection and in this case will give you a cert warning because its not trusted from the FGT. 

 

Can you show the config for your SSL Profile?

Cheers,
Graham
mksherman

I'm using the default "certificate-inspection" 

It doesn't seem to be doing any deep-inspection, which is why this error is odd. 

gfleming

It could be FortiGuard is unreachable to determine web rating and thus you are presented with an error (which can't be displayed because it's using untrusted FGT cert)

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Web-Page-Blocked-An-error-occurred-while-t...

Cheers,
Graham
kvimaladevi

Hi mksherman,

Could you check the certificate used by the browser when the issue happens. Also, please if the traffic is hitting the correct policy with certificate inspection or any other policy with deep inspection.

 

If you create a policy for a single user with no-inspection and access the site, is the still working without any cert errors?

 

Regards,

Vimala

rtichkule
Staff
Staff

Hello,


You should put the Fortinet CA certificate in the end user machine's Trusted root CA directory, as this is necessary for the deep inspection to function properly.

 

In case if you dont want any SSL inspection you can disable it from the cli

 

# config firewall policy
# edit <policy id>
# set ssl-ssh-profile no-inspection
# end

 

BR

mksherman

Sorry, can you clarify the syntax?

config firewall policy it goes to:

policy.PNG

Is this where I put the number of the ipv4 policy?

 

 

Markus_M

The easiest way is on GUI to right-click the policy and say "edit in CLI".

You can also remove the inspection on the GUI however all the same. You must remove all security profiles, save, then open again and you can select no-inspection.

 

The error can be circumvented with the no-inspection, but it would be better to not work around a problem, but fix it.

- The browser shows the error as it doesn't trust the certificate.

- the certificate (of the web server that FortiGate shows) is not trusted because the browser doesn't have the web servers CA certificate included.

- The FortiGate replaces the original certificate because of a reason.

 

The reasons could be many:

a) FortiGate is trying to present a block page. Someone disallowed you to access the google-related pages.

b) FortiGate is protecting against a faulty certificate received from the other web server. Google usually would not have it, but another deep-inspecting node between FortiGate and Google might replace the certificate all the same with some certificate that FortiGate doesn't trust.

c) FortiGate is set up for deep inspection somewhere (as you said that is not the case)

There might be more and I forgot.

In either of these cases:

FortiGate has to block HTTPS access from client to server and requires breaking TLS with a man-in-the-middle-attack. It needs to re-sign the connection with its own web server certificate, signed by a CA certificate present on FortiGate. Clients by default do not trust it.

In case b) the FortiGate will use the "untrusted CA", in case a) and c) the regular CA certificate. To fix that error, fix the reason for a) or b) or if this reason is intended, import the regular CA certificate to the browsers trusted CA store.

 

b) is a special case and the error is preventing a user from accessing a potentially compromised web server connection with a fake certificate that the client might actually trust. FortiGate will then display the untrusted CA signed connection and the end user will usually stop at the error message.

 

More info on certificates:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-TLS-and-the-use-of-Digital-Certificates/ta...

 

Best regards,

 

Markus

rtichkule

Here you need to put the policy ID which you can find in the GUI.

Shilpa1
Staff
Staff

Hello, 

 

You can also check the below details to fix this issue 

  1. Check that the SSL certificate used by the Fortinet device is valid and has not expired. If the certificate has expired, you will need to renew it.

  2. Verify that the SSL certificate is issued by a trusted Certificate Authority (CA). If it is not, you may need to install the CA's root certificate on your computer or network to trust the SSL certificate used by the Fortinet device.

  3. Try accessing the Fortinet device using a different web browser. Sometimes, the SSL certificate issue may be browser-specific.

  4. Check that the date and time on your computer are correct. If the date and time are incorrect, it may cause SSL certificate errors.



    Regards,
    Shilpa

Labels
Top Kudoed Authors