FG101F running 6.4.8 with full decryption turned on between domain endpoints and the WAN.
I can't figure out what if anything I'm doing wrong here. I have some sites - no common thread of certificate issuer that I can find - that cannot be accessed in modern browsers if SSL Full Decryption is enabled for that site. If I explicitly exempt a site, it loads. The client sees a timeout page after some time as if that site is down. The firewall log shows a TCP Reset by the client.
Happens in Firefox, Chrome, Edge, but the same sites load just fine in IE. So I assume it has something to do with the browser seeing the MITM and resetting?
The clients trust the SSL cert by internal CA and most sites work fine being inspected. Anyone know what might be going on?
I just started getting complaints about this last week, the sites were working before that.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey Ohmkorapt,
are the websites having issues with full inspection pages such as google.com or youtube.com?
There is a security standard called HSTS to avoid MitM and other attacks on the connection, with one effect being that browsers only accept the page certificates if they come from a specified issuer.
As the FortiGate generates its own certificate, signed by its own CA, the browsers will notice that the certificate for "google.com" or other websites with HSTS enabled is not the expected certificate, but rather the FortiGate one, and will shut down the connection.
An overview of HSTS: https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it
Internet Explorer is simply too old to support HSTS.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.