Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Longin
New Contributor

SSL inspection problem - not all pages are inspected

Good morning.

I have a problem, maybe someone can help me.

I tested ssl and ssh connections on myself for testing. From the exclusions, I set only 2 categories proposed by forti, i.e. related to health, banking and finances. From the excluded pages section, I removed all the default pages. Unfortunately, I see on several pages, e.g. https://www.youtube.com, https://www.dobreprogramy.pl, that pages do not have the certificate changed by my FortiGate. In the remaining options I paid for blocking, but still nothing changed.

PS. I have firmware 7.0.5

 

Thanks for any help.

Best regards,

Longin.

10 REPLIES 10
jintrah_FTNT
Staff
Staff

Hi Longin,

 

It is most likely the ssl inspection profile used is a certificate inspection profile rather than deep inspection profile.

 

Best regards,

Jin

Longin

Hi Jin,
Thank you for your answer. I have the Inspection method set to Full SSL Inspection.
Generally, when I check the padlock on most sites, the exhibitor is my FortiGate, but not everywhere. I wonder why.

I don't really understand this SNI setting and set disable for testing. Overall, I have set my policy very strictly.

in attached photo you have a configuration with GUI SSL Inspection.PNG

 

Best regards,

Longin.

seshuganesh

Hi Team,

 

 

Regarding the SNI setting:

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

 

You mentioned some websites in the pad lock not showing fortigate serial number. Usually this will happen only if the specific websites are under bypass list.

Could you please let us know the some website names which is happening?

Also, are you using flow based firewall policy or proxy based firewall policy?

 

Longin

Hello Seshuganesh,
Thank you for your reply :).
As for pad lock:
Pages where I can see my Fortigate certificate (So that's ok):
https://allegro.pl/
https://www.onet.pl/
https://www.gov.pl/
https://www.ceneo.pl/
https://www.microsoft.com/pl-pl/
Pages where I see a website certificate (So it's wrong for me):
https://www.youtube.com/
https://www.dobreprogramy.pl/
https://www.google.com/

https://www.shodan.io/


Interestingly:
1) home pages wrong, subpages good (Fortigate)
https://www.wp.pl/ (website certificate)
https://wiadomosci.wp.pl/wojna-w-ukrainie-zelenski-mowi-o-organizacji-terrorystycznej-pracujemy-nad-... (the same domain, a different subpage, and here the certificate was replaced by Fortigate)
2) For the first visit to the website, the fortigate certificate, after refreshing the website's certificate.
https://www.komputronik.pl/ the first time was the Fortigate certificate, after refreshing the certificate CN = E1 O = Let's Encrypt C = US

3) The first time was the website's own certificate after refreshing my Fortigate: https://twitter.com/TychoTithonus/status/1314424307208970240


In Firewall policy I use proxy based.

 

Best regards,

Longin.

Debbie_FTNT

Hey Longin,

it sounds a bit as if you're having issues with deep inspection not happening for webpages using HSTS.

HSTS in a security standard that prevents man-in-the-middle attacks (which is essentially what the FortiGate is doing when intercepting the HTTPS setup and replacing certificates with its own); the browsers expect a specific certificate and issuer for a webpage, and if they don't receive that (and instead receive a FortiGate certificate, for example) they don't proceed.

Obviously this is not happening in your case, but I do know that YouTube, Google and Twitter all use HSTS at least, which leads me to conclude that maybe HSTS being in use causes the FortiGate to stop deep inspection.

I'm really not sure if this is happening, this is just a vague guess - a ticket with FortiGate Technical Support might shed some light :).

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Longin

Hi Debbie,
Thank you for your answer. I will make a ticket in Fortinet as You propose and I will write feedback on how the topic ended - although knowing the times in which Forti responds with my support level, it will take several weeks.

 

Best regards,

Longin.

mudasar_palthur

Hi Longin,

 

Did you find the solution on this issue, I am curious to know since I observed the same behavior on my Fortigate SSL inspection. Appreciate if you can share the information what Fortinet support did regarding this. 

 

Thanks 

Longin

Hi. Unfortunately, they did not help, they rocked me for several months. Generally, from the FortiGate side, they did not change anything (they checked, analyzed on the FAZ if good policies are being launched and they said it was ok). The last few sessions were connecting remotely from the computer where there was a problem cleaning the coke files, launching private mode and it was ok. The next day it was not ok. The first time there was a smart engineer and you can see that he knew what he was doing, but the session was over and we were to return to the topic in a week, but it turned out that another person has the topic, then another ... I found that they do not know what is going on and they run like blind people in the desert. I have the impression that our contract is probably too low and I am passing my affairs to some novices. It was a waste of my time. I put the topic on hold because of other urgent topics and will probably come back to the topic next year.

Longin

I have a Mudasar_palthur request, if you have reached something, please write in the thread that solved the problem. Regards, Longin

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors