Hi Jin,
Thank you for your answer. I have the Inspection method set to Full SSL Inspection.
Generally, when I check the padlock on most sites, the exhibitor is my FortiGate, but not everywhere. I wonder why.

I don't really understand this SNI setting and set disable for testing. Overall, I have set my policy very strictly.

in attached photo you have a configuration with GUI 

Best regards,

Longin.

Hi Team,

Regarding the SNI setting:

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

You mentioned some websites in the pad lock not showing fortigate serial number. Usually this will happen only if the specific websites are under bypass list.

Could you please let us know the some website names which is happening?

Also, are you using flow based firewall policy or proxy based firewall policy?

Hello Seshuganesh,
Thank you for your reply :).
As for pad lock:
Pages where I can see my Fortigate certificate (So that's ok):
https://allegro.pl/
https://www.onet.pl/
https://www.gov.pl/
https://www.ceneo.pl/
https://www.microsoft.com/pl-pl/
Pages where I see a website certificate (So it's wrong for me):
https://www.youtube.com/
https://www.dobreprogramy.pl/
https://www.google.com/

https://www.shodan.io/

Interestingly:
1) home pages wrong, subpages good (Fortigate)
https://www.wp.pl/ (website certificate)
https://wiadomosci.wp.pl/wojna-w-ukrainie-zelenski-mowi-o-organizacji-terrorystycznej-pracujemy-nad-... (the same domain, a different subpage, and here the certificate was replaced by Fortigate)
2) For the first visit to the website, the fortigate certificate, after refreshing the website's certificate.
https://www.komputronik.pl/ the first time was the Fortigate certificate, after refreshing the certificate CN = E1 O = Let's Encrypt C = US

3) The first time was the website's own certificate after refreshing my Fortigate: https://twitter.com/TychoTithonus/status/1314424307208970240

In Firewall policy I use proxy based.

Best regards,

Longin.

Hey Longin,

it sounds a bit as if you're having issues with deep inspection not happening for webpages using HSTS.

HSTS in a security standard that prevents man-in-the-middle attacks (which is essentially what the FortiGate is doing when intercepting the HTTPS setup and replacing certificates with its own); the browsers expect a specific certificate and issuer for a webpage, and if they don't receive that (and instead receive a FortiGate certificate, for example) they don't proceed.

Obviously this is not happening in your case, but I do know that YouTube, Google and Twitter all use HSTS at least, which leads me to conclude that maybe HSTS being in use causes the FortiGate to stop deep inspection.

I'm really not sure if this is happening, this is just a vague guess - a ticket with FortiGate Technical Support might shed some light :).

Hi Debbie,
Thank you for your answer. I will make a ticket in Fortinet as You propose and I will write feedback on how the topic ended - although knowing the times in which Forti responds with my support level, it will take several weeks.

Best regards,

Longin.

Hi Longin,

Did you find the solution on this issue, I am curious to know since I observed the same behavior on my Fortigate SSL inspection. Appreciate if you can share the information what Fortinet support did regarding this. 

Thanks 

Hi. Unfortunately, they did not help, they rocked me for several months. Generally, from the FortiGate side, they did not change anything (they checked, analyzed on the FAZ if good policies are being launched and they said it was ok). The last few sessions were connecting remotely from the computer where there was a problem cleaning the coke files, launching private mode and it was ok. The next day it was not ok. The first time there was a smart engineer and you can see that he knew what he was doing, but the session was over and we were to return to the topic in a week, but it turned out that another person has the topic, then another ... I found that they do not know what is going on and they run like blind people in the desert. I have the impression that our contract is probably too low and I am passing my affairs to some novices. It was a waste of my time. I put the topic on hold because of other urgent topics and will probably come back to the topic next year.

I have a Mudasar_palthur request, if you have reached something, please write in the thread that solved the problem. Regards, Longin