Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dclabs
New Contributor

SSL Deep Inspection not working with Chrome and Edge browsers

Hi All,

 

I've configured a policy with SSL Deep Inspection for my company and installed the Fortigate CA certificate on our devices in order to now be shown the certificate warning. However (on both mac and windows devices) when using Firefox it does seem to work correctly and the certificate shown by the browser is the Fortigate's, though when using either Chrome or Edge the certificates shown in the browser are the original webserver certificates, just as if the deep inspection policy didn't exist at all.

 

What am I missing?

 

 

9 REPLIES 9
sharmaj
Staff
Staff

Hi

You need to check what is the TLS version used in Chrome or Edge.

Since Firefox has its own settings and they might be configured in tandem with the firewall's security TLS version thus you are not seeing the error.

Try to manipulate the TLS versions of browsers to what you have under fortigate settings.

config system global
    set admin-https-ssl-versions

 

Jay sharma
dclabs
New Contributor

I've enabled 'Enforce SSL cipher compliance' and 'Enforce SSL negotiation compliance' on the FG security profile and now it seems to work properly on MAC OS devices, both Firefox and Chrome show websites certificates as issued by Fortinet. Though the situation on Windows devices remains unchanged: Firefox works as expected, while Chrome and Edge do not show any warning but the certificates are issued by the original CA (Google, GlobalSign, etc.).

sharmaj

Hi

I believe this entirely depends on the webserver, in general:

If you see Fortinet as issuer, that means FortiGate is re-signing the certificate and acts as a man-in-the-middle.

The FortiGate receives the Original Server Certificate from the server, and will then sign it with its CA Certificate (Fortinet_CA or another). The Issuer of the Signed Server Certificate will be changed at this time. Finally, the client will receive the Signed Server Certificate from FortiGate.

Jay sharma
dclabs
New Contributor

yeah, that's clear. Though my expectation was to see the Fortigate act as a man-in-the-middle and resign the certificate for every single session, since deep inspection is enable. Am I wrong?

BryanV93

In case you never solved this. Web filtering needs to be enabled on the policy for it to work. I was just dealing with this same issue where the sites were signed by the original CA but when I enabled Web Filtering on the policy on the fortigate now all sites show signed by my fortigate. Hope this helps other people who search for solutions on this problem.

asengar
Staff
Staff

Hi @dclabs 

 

Thanks for posting your query

 

Can you confirm if the policy is in proxy based or flow based. Also post installing the certificate in the local machine is it reflecting in the OS level or have you imported the certificate on the browser level .

 

Internet Explorer, Chrome, and Safari use the operating system’s certificate store for Internet browsing. If users will be using these browsers, you must install the certificate into the certificate store for the OS.

 

If you are using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard

Use the wizard to install the certificate into the Trusted Root Certification Authorities store. If a security warning appears, select Yes to install the certificate.

 

If you are using macOS, double-click the certificate file to launch Keychain Access

Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.

 

Firefox(windows and MAC)

Firefox has its own certificate store. To avoid errors in Firefox, you must install the certificate in this store, instead of the OS.

If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device.

In Firefox, go to Tools > Options > Advanced or Options > Advanced and select the Certificates tab

Select View Certificates, select the Authorities list. Import the certificate and set it to be trusted for website identification.

 

 

 

@bhishek
ede_pfau
Esteemed Contributor III

@asengar

Quite true in the past, but things have changed.

As of FF 49, you can configure FF to trust the Windows cert store. This way, you can centrally manage your clients even if they are using FF.

 

How to make FireFox trust the Windows cert store:

Type "about:config" into the address bar.

type "security.enterprise_roots.enabled" to search for the entry. If not present, create a Boolean entry with this name.

Set the value to "true".

 

Reference: for example, Cisco Umbrella 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
alshinnaq
New Contributor

Hi,

 

Please make sure that QUIC protocol is blocked.

 

for more details, please find attached below link.

 

Technical Tip: Block QUIC Protocol - Fortinet Community


Regards


Mohamed A. Alshinnaq
Network Manager – Information Technology
Assaray Trade & Investment Bank (ATIB) | M: +218913476268 | Telephone: +218 21 366 0780 # #1250
[For more information, visit our website: atib.ly]

RegardsMohamed A. AlshinnaqNetwork Manager – Information TechnologyAssaray Trade & Investment Bank (ATIB) | M: +218913476268 | Telephone: +218 21 366 0780 # #1250[For more information, visit our website: atib.ly]
Bjay_Prakash_Ghising
Contributor

Hi dclabs, 

 

In order for a deep inspection to work, you need at least one security profile configured to the policy. 

 

Make sure, you have a security profile attached to the policy that the traffic traverses.

 

Hope that helps, 

 

Kind Regards, 

Bijay Prakash Ghising

Ghising
Ghising
Labels
Top Kudoed Authors