Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rhfred
New Contributor

SSL Inspection with wildcard certificate

Hi, 

 

running on a Fortigate 300D 5.6.3 I experience some strange behaviour running some UTM features like WAF, AV, IPS. Here is my setup : 

[ul]
  • One wildcard certificate imported as a 'local certificate' which means with both certificate file and private key. This should make the device able to serve the certificate instead of my backend web server
  • One SSL/SSH inspection profile with these settings : Enable SSL Inspection of Protecting SSL Server, the right server wildcard certificate and inspect all ports.
  • One firewall rule with WAF, IPS and AV, and this SSL/SSH inspection profile[/ul]

    Now the strange behavior : 

    [ul]
  • Like said the previous SSL certificate is a wildcard SSL certificate. This basically means it protects *.example.com and works fine with subdomain1.example.com as well as subdomain2.example.com and subdomain3.example.com
  • When I try SQL injection against subdomain1.example.com I got a WAF message which says "The transfer has triggered a Web Application Firewall." and "This transfer is blocked." <-- This is an expected behavior
  • But when I try the same SQL injection against subdomain2.example.com or subdomain3.example.com nothing is blocked at all it is like SSL decipher does not work. [/ul]

    I didn't found anything in configurations which would say to fortigate, this SSL profile is only for subdomain1. I downloaded the entire configuration file and ran some grep, and didn't found anything regarding subdomain1, subdomain2 or subdomain3. 

     

    Is someone else experiencing the same behavior ? Is this a known bug ? 

     

    Thank you for your help,  rhfred

  • 2 REPLIES 2
    rhfred
    New Contributor

    Hi all, 

     

    Does nobody reproduce this? 

     

    rhfred

    emnoc
    Esteemed Contributor III

    The diag debug flow cmd is your friend, but let's  backup, if it worked for subdomain1 and not subdomain2 or 3, what's different? I would dump the  certificate CN and AltName  field and start from that point.

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors