NordVPN on Fortigate 120G 7.4.5 and 7.4.6 (Mature)

NewFreedom · ‎01-03-2025

Hi folks,

I've found that SSL Certificate Inspection in the configuration below, applied to my LAN -> WAN policy is substituting the NordVPN certificate with my Fortigate certificate. NordVPN is detecting the change and terminating the connection. If I disable certificate inspection, NordVPN connects without issue. When SSL Certificate Inspection is selected, it is not possible to add exceptions. I tried choosing Full SSL Inspection instead and added the exceptions for the NordVPN addresses below, but that yielded the same result. I upgraded from 7.4.5 to 7.4.6 and still have the same issue.

Any ideas? Thanks in advance!

NordVPN addresses excepted:
*.nordvpn.com
*.nordcdn.com
*.rsc.cdn77.org
*.nordlayer.com
*.nordlinks.com
*.nordapi.com

Here is the NordVPN error:

Here is the default SSL Certificate Inspection policy I have applied:

Here is the "exception" policy I tried:

RP

dingjerry_FTNT · ‎01-03-2025

Hi @NewFreedom ,

This is weird, as the name implies, Certification Inspection will inspect CN in the certificate or SNI in the Client Hello that is not encrypted so FGT will not be the MIMT to decrypt and encrypt the traffic.

Regards,

Jerry

dingjerry_FTNT · ‎01-03-2025

You have the Thumbprint info in the first screenshot. Could you please enter into your FGT to check the Fingerprint info for the "Fortinet_CA_SSL" certificate to compare whether they are the same one?

Regards,

Jerry

NordVPN on Fortigate 120G 7.4.5 and 7.4.6 (Mature)

Nominate a Forum Post for Knowledge Article Creation