Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rezafathi
Contributor II

Created on ‎02-03-2025 02:58 AM Edited on ‎02-03-2025 03:49 AM

SSL Inspection not working anymore

Hi

 

We have a 200F FortiGate with 7.6.1 firmware. I have set up ssl inspection, web filter, ips and antivirus about 2 years ago and all of them were working fine till last week. I noticed that there is no fortinet issuer in any website I open and because of that all websites are permitted and no application blocking is occurred. I have used Fortinet_CA_SSL certificate (default) via group policy for users and that was working. please help me to solve this issue

Reza F.
Reza F.
Labels:
632
0 Kudos
6 REPLIES 6
AEK
SuperUser
SuperUser

Created on ‎02-03-2025 12:24 PM

Hi Reza

Does it work with proxy based rule?

AEK
AEK
572
0 Kudos
Dhruvin_patel
Staff
Staff

Created on ‎02-03-2025 01:20 PM

Greetings!

 

It sounds like SSL inspection isn't being applied properly, which is why the Fortinet certificate isn't showing up and your web filtering and application controls aren't taking effect.

 

Please ensure that the traffic is passing through the correct policy.

Ensure SSL inspection is still enabled on the relevant policies.

Verify that the correct inspection profile (deep or certificate inspection) is applied.

 

 

 

Regards!

Dhruvin Patel
562
0 Kudos
rezafathi
Contributor II
In response to Dhruvin_patel

Created on ‎02-04-2025 06:02 AM

It only works in proxy mode now. But another wiered thing happened. When i add some websites in full ssl inspection policy, the ssl inspection become disable and there won't be fortinet CA in any websites but when i delete that websites it works perfectly.why?

Reza F.
Reza F.
508
0 Kudos
Dhruvin_patel
Staff
Staff
In response to rezafathi

Created on ‎02-04-2025 06:24 AM

Actually when using deep packet inspection on a FortiGate, the recommended inspection mode is "proxy inspection mode" as it provides the most comprehensive analysis of traffic.

 

As you are using flow-based inspection mode with deep packet inspection, I would suggest to check this document, https://community.fortinet.com/t5/FortiGate/Technical-Tip-ERR-SSL-PROTOCOL-ERROR-when-using-Flow-bas...

 

It is a known issue related to ML-KEM post-quantum TLS key exchange.

 

Regards! 

Dhruvin Patel
502
0 Kudos
rezafathi
Contributor II
In response to Dhruvin_patel

Created on ‎02-04-2025 09:17 AM

I am not using flow mode i am uaing proxy mode now. Evwrything is setup correctly but when i add some websites for ssl inspection bypass , the ssl inspection not working anymore

Reza F.
Reza F.
465
0 Kudos
dingjerry_FTNT
Staff
Staff

Created on ‎02-03-2025 08:13 PM

Hi @rezafathi ,

 

You may use the debug flow commands to find out this interesting traffic is hitting which firewall policy, then double check whether the SSL Inspection profile is applied correctly or not in this policy.

Regards,

Jerry
536
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.