Hi Johnatan, for example:

"The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider."

And as I said, the certificate uploaded to the deep inspection profile has the entire chain and it has not this problem in flow mode. The same SSL checker doesn't find errors. It is therefore a problem with the DS mode and not with the certificate. 

To not relay on public website you can also use the openssl from a linux box, with the following command:

openssl s_client -showcerts -connect yourdomain.com:443

It will print out the full chain and the content of the certificates so you can use the output to verify if there is a difference when the mode is changed from proxy to flow mode.

I will try to do it and tell you know the results.

Thanks ¡¡¡

The inspection mode modify the uploaded certificate:

-In flow mode we can see all the chain (depth 0, 1, 2)

-In proxy mode we cannot see all the chain (depth 0) an that causes some errors.

It seems like a bug, I haven't read about differences whit proxy or flow mode when te firewall gives the certificate. In my opinion this is not correct.

I attach you both results, the first one is the flow mode:

Now proxy mode (whe can see an error and only one cert):

Hello fortimaster, 

Are you using some sort of VIP or VirtualServer to reach your webservers?
If that is the case can you share the VIP or Virtual Server config?
Also 7.2.8 was released today and there are some interesting bug fixes regarding VIP/Virtual Servers, so it would not be a bad idea to upgrade and test. 

Hi Ezupa, 

Yes, there are web servers and I use VIP to reach them.