Is there a work around for this type of SSL Error?
We're running a Fortigate 500D firewall
Our users behind the firewall just suddenly started to see this message trying to access anything related to Google:
I checked our IPv4 policies, and anything from inside out the WAN has App, Web, and SSL profiles applied. I suspect the problem is with the SSL profile, but it doesn't let me disable it without disabling the APP and Web filter too. Is there a way to disable the SSL profile from the CLI or another workaround? Or, even better, an actual solution for this problem? Sadly I cannot call support because we don't have that lic.
Could you check the certificate used by the browser when the issue happens. Also, please if the traffic is hitting the correct policy with certificate inspection or any other policy with deep inspection.
If you create a policy for a single user with no-inspection and access the site, is the still working without any cert errors?
The easiest way is on GUI to right-click the policy and say "edit in CLI".
You can also remove the inspection on the GUI however all the same. You must remove all security profiles, save, then open again and you can select no-inspection.
The error can be circumvented with the no-inspection, but it would be better to not work around a problem, but fix it.
- The browser shows the error as it doesn't trust the certificate.
- the certificate (of the web server that FortiGate shows) is not trusted because the browser doesn't have the web servers CA certificate included.
- The FortiGate replaces the original certificate because of a reason.
The reasons could be many:
a) FortiGate is trying to present a block page. Someone disallowed you to access the google-related pages.
b) FortiGate is protecting against a faulty certificate received from the other web server. Google usually would not have it, but another deep-inspecting node between FortiGate and Google might replace the certificate all the same with some certificate that FortiGate doesn't trust.
c) FortiGate is set up for deep inspection somewhere (as you said that is not the case)
There might be more and I forgot.
In either of these cases:
FortiGate has to block HTTPS access from client to server and requires breaking TLS with a man-in-the-middle-attack. It needs to re-sign the connection with its own web server certificate, signed by a CA certificate present on FortiGate. Clients by default do not trust it.
In case b) the FortiGate will use the "untrusted CA", in case a) and c) the regular CA certificate. To fix that error, fix the reason for a) or b) or if this reason is intended, import the regular CA certificate to the browsers trusted CA store.
b) is a special case and the error is preventing a user from accessing a potentially compromised web server connection with a fake certificate that the client might actually trust. FortiGate will then display the untrusted CA signed connection and the end user will usually stop at the error message.
You can also check the below details to fix this issue
Check that the SSL certificate used by the Fortinet device is valid and has not expired. If the certificate has expired, you will need to renew it.
Verify that the SSL certificate is issued by a trusted Certificate Authority (CA). If it is not, you may need to install the CA's root certificate on your computer or network to trust the SSL certificate used by the Fortinet device.
Try accessing the Fortinet device using a different web browser. Sometimes, the SSL certificate issue may be browser-specific.
Check that the date and time on your computer are correct. If the date and time are incorrect, it may cause SSL certificate errors.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.