greetings guys,
we use fortigate with firmware 7.2.10
I have an interesting topic. I am in a global organization with 4 sites globally. One is in China, the rest 3 are in Sweden, a totally free Internet world. My colleague in China site wants to access www.google.com but you know it is banned within China mainland. So, we are considering redirecting the https traffic destined for https service of www.google.com to our Sweden site.
we created an SD-WAN rule, with FQDN *.google.com as the destination. The outgoing interface, an ipsec tunnel interface based on MPLS to our Sweden site, is manually assigned to the sd-wan rule.
I did see the 443 traffic hit the SD-WAN rule and traffic log was seen both from China site firewall and Sweden site firewall, but the access was interrupted, and the browser gives me the error net::err_cert_common_name_invalid.
Then I was thinking we need more SD-WAN rule to redirect other traffic (let's say, for certificate validation traffic ) to Sweden site maybe? But how can we identify what exactly the rule should be?
Thanks for any advice.
Hi Sean
When the browser finds a certificate CN (and alt names) different than the entered FQDN then it stops the navigation with that error message to prevent possible data theft.
thanks AEK for your great help,
so, what could be the possible solution for this?
one interesting thing is that if I do nslookup www.google.com with my organization's DNS server, it will be resolved to www.google.com.int.mycompany.com. Who did this abnormal resolution?
Created on ‎01-22-2025 11:38 PM Edited on ‎01-22-2025 11:44 PM
Hi Sean
The solution could be by signing the certificate with a trusted CA. I think about deep inspection. I don't see any other solution.
Edit: After thinking twice, there should be no need for deep inspection, but you can do something on the server's certificate. Try to add alternate name *.google.com to the certificate that is installed on server www.google.com.int.mycompany.com. Since it is signed by your private CA it should be feasible.
I confirm it works. The certificate is on the back-end server and is signed by my private CA.
User | Count |
---|---|
2675 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.