I'm having a problem where my FGT is injecting the "Fortinet Untrusted CA cert" instead of my Custom CA when inspecting traffic to certain websites. Anyone else running into this problem? After a very long call with TAC I think we have this issue nailed down to a bug with 5.4.1 and the introduction of the "Fortinet Untrusted CA Cert".
" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
So, I feel like I should respond to this as we (TAC and I) were able to figure out what was going what happened. The "untrusted CA certificate" is a new feature in version 5.4.x. If there is an issue with the certificate chain, the Fortigate will use the "Untrusted CA certificate" by default for SSL inspection.
Now this leaves you 2 options.. 1.) Deploy the "Untrusted CA Certificate" all over your environment.... no thank you.. 2.) Set the the "untrusted CA Cert" to your "Trusted CA Certificate" you're using for SSL-DPI.
Personally I went with option 2, else you will be making "exceptions" for every single broken Certificate Chain your users come in contact with (form this number has only been 2 but I anticipate more). Even if the site/url is malicous, the encrypted traffic will still be inspected and hopefully the FGT will keep out the bad stuff.
" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds
How do you set the untrusted CA cert to your trusted cert?
How about replacing the Untrustcert? You should do that by default
take a look at the following under ssl and certtificate
( defaults )
set caname "Fortinet_CA_SSLProxy"
set untrusted-caname "Fortinet_CA_Untrusted"
You can import your trusted cert, and replace the ssl inspection cert FWIW
PCNSE
NSE
StrongSwan
Is there a way to do it in the GUI? I'm a moron when it comes to the CLI
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.