FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jheadley_FTNT
Description
This article presents a flowchart of the expected behavior and troubleshooting information of certificate warnings when using only a web filtering security profile in combination with SSL certificate inspection or deep inspection.

Scope
FortiGates running FortiOS v5.2 or v5.4.
Firewall policies using only a web filtering security profile in combination with SSL inspection.

Solution
jheadley_FD38641_tn_FD38641-1.jpg

Troubleshooting

Verify what policy ID the traffic is hitting via the FortiGate session table or traffic logs. Check the web filtering and SSL inspection profile that are applied to this policy.

Compare the certificate presented in the web browser with the certificate configured in the SSL inspection profile. Check that the information in the sections "Issued To", "Issued By", and "Validity Period" match.

Check that the website is included in the web browsers certificate pinning list. The article "
SSL Public Key Pinning – Bulletin" in the Fortinet Document Library provides more details.

Solution 1:

Download the FortiGate certificate used for SSL Inspection (default certificate is "FortiGate_CA_SSLProxy") and import as a trusted root CA in the web browser as explained in the 'Preventing certificate warnings' Cookbook Recipe.

Workaround 1:

Add the website as an exemption in the SSL deep inspection profile as explained in the 'Exempting Google from SSL inspection' Cookbook Recipe.

Workaround 2:

Disable the FortiGate from showing the block page for HTTPS sites blocked under this particular web filtering profile with the commands listed below:
config webfilter profile
edit {name}
set https-replacemsg disable
end
Notes

(1) The FortiGate presents the block page with the certificate used in the SSL inspection profile (which is why blocking websites with certificate inspection on will  still require trusting the certificate.)

(2) A certificate cannot be purchased signed by a public CA (GoDaddy, Verisign, DigiCert, etc) that meets the requirements for use in SSL inspection.

(3) The choice between using certificate or deep inspection is addressed in the 'Why you should use SSL inspection' Cookbook Recipe.

Related Articles

Technical Note : Importing the FortiGate SSL Proxy certificate in Internet Explorer 8 (IE8) for decr...

Technical Note: Differences between SSL Certificate Inspection and Full SSL Inspection

Technical Note : Digital Certificate management example: Signing a certificate with a CA, Importing ...

Contributors