SSL/SSH Inspection Challenge - Invalid Digital Signature

BK_LGW · ‎07-09-2020

Hello all. I'm experiencing some difficulties with using Web Filtering and SSL Inspection. My test policy has blocked the usual culprits (social media, gambling, porn, etc.) and I have a test machine and user going to the Internet via the policy. This is what I've done:

- Acquired root and subordinate CA certs from my sub ca server, imported them into FGT as root and sub CAs respectively.

- Created a local CA for the FGT via the Issuing server (my sub ca server)

- Created an SSH/SSL Inspection profile utilizing the local CA object

- Created a Web Filter profile blocking the usual suspects

- Created policy outlining both the SSL Inspection and Web Filter profiles and made it so only a single user/PC combo hits it

Below are some of the issues I'm having with some websites. Others are blocked and show the block page as expected. All HTTPS websites. What am I doing wrong?

Dave_Hall · ‎07-09-2020

Has the security cert been imported into the browser of the client (test) workstation?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

BK_LGW · ‎07-10-2020

Thank you for your quick reply. The root and sub ca certs were already in the Trusted Root CA and Intermediate CA stores due to AD membership. I manually imported the FGT's local cert into the Intermediate CA store. I've been using MS Edge and Internet Explorer which I believe uses the PC's certificate stores, so yes, it should be seen by the test client.

emnoc · ‎07-10-2020

The output clearly says other wise. Is the certificate ( root/subca ) trusted by that machine and browser? Also if is FF it does not use the OS cert-store.

Ken Felix

PCNSE

NSE

StrongSwan

BK_LGW · ‎07-10-2020

Thanks, Ken. What's strange is that the appropriate block page does show up for some pages with the same configuration.

Admittedly, the block page does say "Not secure" as well. I'm not sure if that's by design or not. How can I show you beyond a doubt that the certificates are trusted?

emnoc · ‎07-10-2020

That error is typically one of the follow

[ul]

Authority certificate may expire, not trusted,etc..

Browser security settings[/ul]

Ken Felix

PCNSE

NSE

StrongSwan

Dave_Hall · ‎07-10-2020

May or may not apply, but had this KB#FD37342 bookmarked with the intent to test it out to resolve an issue we were having in the past. For us it wasn't so much the cert on the original page/site but was the cert on the popup override page.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

BK_LGW · ‎07-13-2020

Dave Hall wrote:

May or may not apply, but had this KB#FD37342 bookmarked with the intent to test it out to resolve an issue we were having in the past. For us it wasn't so much the cert on the original page/site but was the cert on the popup override page.

Thank you, Dave. I haven't used any kind of override in my own config, but just to confirm, the cert from the override page would be the one from the FGT acting as the MITM, yes? Even then, the proposed fix wouldn't apply to my situation, I think.

BK_LGW · ‎07-13-2020

emnoc wrote:
That error is typically one of the follow

[ul]
Authority certificate may expire, not trusted,etc..
Browser security settings[/ul]

Ken Felix

Thank you, Ken. The issue persist, even though I followed this post to set it up (https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/680736/microsoft-ca-deep-packet-inspecti...). I can't see how it would be the browser security settings when twitter.com causes the error but other pages like instagram.com and gambling.com are blocked properly, meaning the block page shows as expected. Wouldn't the fact that those work without issue also mean that the certificate from FGT and higher CAs are indeed trusted?

SSL/SSH Inspection Challenge - Invalid Digital Signature

Nominate a Forum Post for Knowledge Article Creation