Hi all,
I have observed that, when I enable deep inspection in proxy mode to protect my web servers, the SSL check of SSL check pages not pass. Obviously, I use the same certificate in Both cases. In browsers, I see perfectly the certificates.
On the other hand, I have some problems with DS in proxy mode but I prefer to use it cause it provides a more strong security than flow mode.
Why when I enable deep inspection in proxy mode, SSL check not pass in any website checker? I attach you some examples. With the same certificate in flow mode it works fine in all cases.
Im using fortiIOS 7.2.7
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Are you able to see why it is not trusted? The screenshots don't give much info.
https://www.ssllabs.com/ssltest/ should give you much more info, it's the one I use.
Created on 03-13-2024 08:30 AM Edited on 03-13-2024 08:32 AM
Hi Johnatan, for example:
"The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider."
And as I said, the certificate uploaded to the deep inspection profile has the entire chain and it has not this problem in flow mode. The same SSL checker doesn't find errors. It is therefore a problem with the DS mode and not with the certificate.
To not relay on public website you can also use the openssl from a linux box, with the following command:
openssl s_client -showcerts -connect yourdomain.com:443
It will print out the full chain and the content of the certificates so you can use the output to verify if there is a difference when the mode is changed from proxy to flow mode.
I will try to do it and tell you know the results.
Thanks ¡¡¡
The inspection mode modify the uploaded certificate:
-In flow mode we can see all the chain (depth 0, 1, 2)
-In proxy mode we cannot see all the chain (depth 0) an that causes some errors.
It seems like a bug, I haven't read about differences whit proxy or flow mode when te firewall gives the certificate. In my opinion this is not correct.
I attach you both results, the first one is the flow mode:
Now proxy mode (whe can see an error and only one cert):
Created on 03-15-2024 03:21 AM Edited on 03-15-2024 03:48 AM
Hello fortimaster,
Are you using some sort of VIP or VirtualServer to reach your webservers?
If that is the case can you share the VIP or Virtual Server config?
Also 7.2.8 was released today and there are some interesting bug fixes regarding VIP/Virtual Servers, so it would not be a bad idea to upgrade and test.
Hi Ezupa,
Yes, there are web servers and I use VIP to reach them.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.