Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

POP3s certificate error message

Hi, When I configured Fortigate80C, and put up any predefine protection profile. On the users side, if they turn on their ms. outlook for any POP3s email (e.g: gmail). They always get an error message of certificate which cannot be vertified also 0x800ccc1a code for ms. outlook error. However, if I take out the protection profile. They didn' t get any error message. May I get an explanation why this is happen? Or do we got any way so that we can run a protection profile, but users don' t need to experienced that kind of error message? Appreciate your advice on this issue. Thanks and Regards, Andi
4 REPLIES 4
Carl_Wallmark
Valued Contributor

Hi and welcome, You have probably enabled " protocol options" on the firewall policy, and therefore enabled SSL deep scan, The Fortigate 80C is capable of scanning SSL traffic but requires a certificate on all clients to work without certificate errors. You should read the manual: http://docs.fortinet.com/fgt40mr2.html if this is something you want, if not, you have to disable the " protocol options" on the firewall policy.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C

Hi Selective, I did not put any protocol options just yet, I only just testing it using any of ' pre-defined' (default) protection profile in the new Fortigate 80C. Which is also resulting of the same thing. as per below screenshot, its just url filtering, and not deep scan. also i cannot see any disable options in there. appreciate your further advice.
Carl_Wallmark
Valued Contributor

Ah, you are on " old" firmware, then you have two options, 1. Change the port for pop3s on the protection profile, so it wont trigger. 2. Create a new firewall rule with only pop3s with no protection profile

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C

Hi Selective, Thanks alot, I think its pretty much clear the doubt that in new firmware got options to disable these things. Regards, Andi
Labels
Top Kudoed Authors