Hi All,
I've configured a policy with SSL Deep Inspection for my company and installed the Fortigate CA certificate on our devices in order to now be shown the certificate warning. However (on both mac and windows devices) when using Firefox it does seem to work correctly and the certificate shown by the browser is the Fortigate's, though when using either Chrome or Edge the certificates shown in the browser are the original webserver certificates, just as if the deep inspection policy didn't exist at all.
What am I missing?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
You need to check what is the TLS version used in Chrome or Edge.
Since Firefox has its own settings and they might be configured in tandem with the firewall's security TLS version thus you are not seeing the error.
Try to manipulate the TLS versions of browsers to what you have under fortigate settings.
config system global
set admin-https-ssl-versions
I've enabled 'Enforce SSL cipher compliance' and 'Enforce SSL negotiation compliance' on the FG security profile and now it seems to work properly on MAC OS devices, both Firefox and Chrome show websites certificates as issued by Fortinet. Though the situation on Windows devices remains unchanged: Firefox works as expected, while Chrome and Edge do not show any warning but the certificates are issued by the original CA (Google, GlobalSign, etc.).
Hi
I believe this entirely depends on the webserver, in general:
If you see Fortinet as issuer, that means FortiGate is re-signing the certificate and acts as a man-in-the-middle.
The FortiGate receives the Original Server Certificate from the server, and will then sign it with its CA Certificate (Fortinet_CA or another). The Issuer of the Signed Server Certificate will be changed at this time. Finally, the client will receive the Signed Server Certificate from FortiGate.
yeah, that's clear. Though my expectation was to see the Fortigate act as a man-in-the-middle and resign the certificate for every single session, since deep inspection is enable. Am I wrong?
In case you never solved this. Web filtering needs to be enabled on the policy for it to work. I was just dealing with this same issue where the sites were signed by the original CA but when I enabled Web Filtering on the policy on the fortigate now all sites show signed by my fortigate. Hope this helps other people who search for solutions on this problem.
Hi @dclabs
Thanks for posting your query
Can you confirm if the policy is in proxy based or flow based. Also post installing the certificate in the local machine is it reflecting in the OS level or have you imported the certificate on the browser level .
Internet Explorer, Chrome, and Safari use the operating system’s certificate store for Internet browsing. If users will be using these browsers, you must install the certificate into the certificate store for the OS.
If you are using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard
Use the wizard to install the certificate into the Trusted Root Certification Authorities store. If a security warning appears, select Yes to install the certificate.
If you are using macOS, double-click the certificate file to launch Keychain Access
Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.
Firefox(windows and MAC)
Firefox has its own certificate store. To avoid errors in Firefox, you must install the certificate in this store, instead of the OS.
If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device.
In Firefox, go to Tools > Options > Advanced or Options > Advanced and select the Certificates tab
Select View Certificates, select the Authorities list. Import the certificate and set it to be trusted for website identification.
Quite true in the past, but things have changed.
As of FF 49, you can configure FF to trust the Windows cert store. This way, you can centrally manage your clients even if they are using FF.
How to make FireFox trust the Windows cert store:
Type "about:config" into the address bar.
type "security.enterprise_roots.enabled" to search for the entry. If not present, create a Boolean entry with this name.
Set the value to "true".
Reference: for example, Cisco Umbrella
Hi,
Please make sure that QUIC protocol is blocked.
for more details, please find attached below link.
Technical Tip: Block QUIC Protocol - Fortinet Community
Hi dclabs,
In order for a deep inspection to work, you need at least one security profile configured to the policy.
Make sure, you have a security profile attached to the policy that the traffic traverses.
Hope that helps,
Kind Regards,
Bijay Prakash Ghising
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.