Hello
I'm trying to set up a SSL Inspection Profile for a Server behind our Fortigate but as soon as I activate the SSL Profile I get an error for the Website that it's not been trusted. SSL Inspection Options is set to Protecting SSL Server.
If I activate the SSL Profile on the Policy and check on https://www.digicert.com/help/ I get following error:
"The Certificate is not issued by DigiCert, GeoTrust, Thawte, or RapidSSL" and the Serial Number which is shown for the Certificate I can't find under Certificates
I uploaded the Wildcard Certificate with Private Key to the Local Certificate and I can see it there. I also see the Intermediate Cert in the Remote CA Cerificate section. Do I have to upload the Root Cert as Remote Certificate to work or what could be the Problem?
I would appreciate your help!
A firewall policy with only an SSL inspection profile and no other UTM profiles will not actually touch the TLS at all. It is easier to understand SSL inspection as an "auxiliary profile" helping other UTM profiles with inspecting encrypted traffic, when those profiles need to inspect something. No other UTM => nothing to inspect => SSL inspetion will do nothing.
Two possible explanations then:
a, The certificate is applied from a server-load-balancing VIP (TLS type, or the type matching the desired protocol, e.g. HTTPS)
b, The certificate is provided by the real server, with FortiGate not affecting anything.
But still SSL Deep Inspection has to work first. If I have the Certificates only on the Webserver I can't inspect the traffic. Thats why I uploaded them to the Fortigate so I can use SSL Deep Inspected for the Traffic torwards the Server and then add other Security Profiles
Of course, but what I am saying is that the SSL inspection profile is not expected to do anything at all if you don't have any other UTM profile selected in the firewall policy (which seems tobe the case based on your screenshot of the policy).
If you want to see realistic results of deep-inspection in the firewall policy, add some UTM profile first, e.g. a monitor-all webfilter. Or a dummy IPS profile.
Thank you but my issue is not that I don't see anything on the Firewall. My issue is that the Browser is giving Certificate errors since the Website is not trusted because the Firewall sends the wrong Certificate.
I did a Trace and I see in Wireshark that if SSL Inspection is disabled I get the right Certificate from the Server. If I activate SSL Inspection the Firewall sends the wrong Certificate -->Local CA Certificate "Fortinet_CA_SSL" instead of the one selected Certificate in the Profile.
Do I have to uploade a part of the Certificate as CA Certificate?
I think what @pminarik is trying to tell is that your issue may be fixed just by enabling any security profile, for example you can just try set IPS: default
Hmm, alright. I reviewed the screenshots again, and noticed one more thing.
The browser is showing that the "mysterious" certificate is signed by "Fortinet Untrusted CA", typically meanting that the FortiGate doesn't like the real server's certificate.
Is there anything special about it? E.g. being self-signed, or signed by a CA that the FortiGate doesn't trust yet, or being issued for an FQDN/IP that doesn't match the name being requested by the client?
I also tried with adding another Security Profile but still same issues.
It's a Certificate from Digicert not self-signed. I Uploaded the .pem (which includes the whole Certificate Chain) to Local Certificate. SAN also has the right DNS entries.
Now my Question. In the Wireshark I saw that as soon as I activate the Policy with the SSL Profile and the Uploaded Cert, Fortigates sends the "Fortinet_CA_SSL" Certificate which is located under Local CA Certificates instead of the one in the SSL Profile. Do I hava to upload my Cert as a Local CA Certificate instead of Local Certificate?
I really appreciate your help
Can you try capturing the Fortigate<->server segment of the traffic in a pcap? Ideally during a TLS 1.2 exchange. I would try to focus on verifying what certificates the FortiGate receives from the server when it's making the connection. Hopefully there will be something visible that will explain why the FortiGate is flagging this as "untrusted".
Hi @3RR0R
Tried the following in my lab (FOS 6.2.16) and if worked successfully (the right ssl cert is shown).
Note that I didn't use VIP/VS for this test.
Thank you guys for your help. I opened a Ticket. I've read a lot about people having Issues with Digicert Certificates and SSL Inspection.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.