Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sean3
Contributor

Created on ‎01-22-2025 12:14 AM

cannot access google via RIA solution on fortigate

greetings guys,

 

we use fortigate with firmware 7.2.10

 

I have an interesting topic. I am in a global organization with 4 sites globally. One is in China, the rest 3 are in Sweden, a totally free Internet world. My colleague in China site wants to access www.google.com but you know it is banned within China mainland. So, we are considering redirecting the https traffic destined for https service of www.google.com to our Sweden site.

we created an SD-WAN rule, with FQDN *.google.com as the destination. The outgoing interface, an ipsec tunnel interface based on MPLS to our Sweden site, is manually assigned to the sd-wan rule.

I did see the 443 traffic hit the SD-WAN rule and traffic log was seen both from China site firewall and Sweden site firewall, but the access was interrupted, and the browser gives me the error net::err_cert_common_name_invalid

Then I was thinking we need more SD-WAN rule to redirect other traffic (let's say, for certificate validation traffic ) to Sweden site maybe? But how can we identify what exactly the rule should be?

 

Thanks for any advice.

Labels:
215
0 Kudos
4 REPLIES 4
AEK
SuperUser
SuperUser

Created on ‎01-22-2025 01:21 AM

Hi Sean

When the browser finds a certificate CN (and alt names) different than the entered FQDN then it stops the navigation with that error message to prevent possible data theft.

AEK
AEK
202
sean3
Contributor
In response to AEK

Created on ‎01-22-2025 05:12 PM

thanks AEK for your great help,

so, what could be the possible solution for this?

one interesting thing is that if I do nslookup www.google.com with my organization's DNS server, it will be resolved to www.google.com.int.mycompany.com. Who did this abnormal resolution?

164
0 Kudos
AEK
SuperUser
SuperUser
In response to sean3

Created on ‎01-22-2025 11:38 PM Edited on ‎01-22-2025 11:44 PM

Hi Sean

The solution could be by signing the certificate with a trusted CA. I think about deep inspection. I don't see any other solution.

 

Edit: After thinking twice, there should be no need for deep inspection, but you can do something on the server's certificate. Try to add alternate name *.google.com to the certificate that is installed on server www.google.com.int.mycompany.com. Since it is signed by your private CA it should be feasible.

AEK
AEK
150
AEK
SuperUser
SuperUser
In response to AEK

Created on ‎01-23-2025 12:54 AM Edited on ‎01-23-2025 04:22 AM

I confirm it works. The certificate is on the back-end server and is signed by my private CA.

 

ggl.png

 

 

g-cert.png

AEK
AEK
129
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.