SSL Deep Inspection not working with Chrome and Edge browsers
I've configured a policy with SSL Deep Inspection for my company and installed the Fortigate CA certificate on our devices in order to now be shown the certificate warning. However (on both mac and windows devices) when using Firefox it does seem to work correctly and the certificate shown by the browser is the Fortigate's, though when using either Chrome or Edge the certificates shown in the browser are the original webserver certificates, just as if the deep inspection policy didn't exist at all.
I've enabled 'Enforce SSL cipher compliance' and 'Enforce SSL negotiation compliance' on the FG security profile and now it seems to work properly on MAC OS devices, both Firefox and Chrome show websites certificates as issued by Fortinet. Though the situation on Windows devices remains unchanged: Firefox works as expected, while Chrome and Edge do not show any warning but the certificates are issued by the original CA (Google, GlobalSign, etc.).
I believe this entirely depends on the webserver, in general:
If you see Fortinet as issuer, that means FortiGate is re-signing the certificate and acts as a man-in-the-middle.
The FortiGate receives the Original Server Certificate from the server, and will then sign it with its CA Certificate (Fortinet_CA or another). The Issuer of the Signed Server Certificate will be changed at this time. Finally, the client will receive the Signed Server Certificate from FortiGate.
In case you never solved this. Web filtering needs to be enabled on the policy for it to work. I was just dealing with this same issue where the sites were signed by the original CA but when I enabled Web Filtering on the policy on the fortigate now all sites show signed by my fortigate. Hope this helps other people who search for solutions on this problem.
Can you confirm if the policy is in proxy based or flow based. Also post installing the certificate in the local machine is it reflecting in the OS level or have you imported the certificate on the browser level .
Internet Explorer, Chrome, and Safari use the operating system’s certificate store for Internet browsing. If users will be using these browsers, you must install the certificate into the certificate store for the OS.
If you are using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard
Use the wizard to install the certificate into the Trusted Root Certification Authorities store. If a security warning appears, select Yes to install the certificate.
If you are using macOS, double-click the certificate file to launch Keychain Access
Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.
Firefox(windows and MAC)
Firefox has its own certificate store. To avoid errors in Firefox, you must install the certificate in this store, instead of the OS.
If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device.
In Firefox, go to Tools > Options > Advanced or Options > Advanced and select the Certificates tab
Select View Certificates, select the Authorities list. Import thecertificate and set it to be trusted for website identification.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.