Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jarbasd
New Contributor

Created on ‎07-09-2025 05:11 PM

Understanding SSL inspection handling in Fortigate

Hello,

I have the following question regarding the SSL inspection process performed by Fortigate, specifically the options below:

imagem_2025-07-09_205121346.png

I'm trying to understand the order in which these options are analyzed. I understand that a verification flow must be followed, and my current understanding is as follows:

 

My Logic:

It all starts with cert-probe-failure.

cert-probe-failure = Couldn't get the certificate, so it stops here and takes a block or allow action. If successful, continue >>

cert-validation = Opens the certificate and checks CA, revocation, expiration, and SNI.

According to the information obtained from cert-validation, it will perform the actions set below:

sni-server-cert-check = enable (I understand this check already occurs in cert-validation)


revoked = allow or drop


expired = allow or drop


untrusted = allow or drop


I'm a little confused about these checks. I read in the documentation that cert-probe-failure already

performs validations that other options do, such as untrusted certificate and expired certificate.

Is there any documentation explaining this flow?


Thanks for any help!

284
0 Kudos
1 REPLY 1
jiahoong112
Staff
Staff

Created on ‎07-09-2025 06:08 PM

relevant document: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-allow-HTTPS-port-443-traffic-... 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-fix-SSL-connection-is-blocked... 

cert-probe is fortigate pre-probing the destination before allowing the connection between client and server to establish. When this fails, the connection is blocked - this is the default setting. This is the case for versions 7.0, 7.2 and 7.4. From 7.6 onwards, the default action for cert-probe failure is Allow. 

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
270
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.