FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Kenichi_Terashita_FT

Description

This article provides a workaround for the situation where SSL Inspection fails when FortiGate verifies the server certificate using the CA certificate which is installed on the FortiGate.
 
When FortiGate can verify Original Server Certificates by using the CA Certificate which is already installed on the FortiGate, the SSL connection will fail because the FortiGate considers that the certificates are invalid.

Two examples would be:
  1. FortiManager WebUI provides a server certificate which was signed by Fortinet_CA.  This CA Certificate is already installed into any FortiGate, so the issue will occur.
  2. If the administrator installs another CA Certificate, it would occur if the Original Server Certificate is signed by the CA Certificate.


Workaround

Workaround 1

Enable the allow-invalid-server-cert option. This option can allow any invalid server certificates.

FortiOS 4.0 MR1 and before
config firewall profile
edit <name>
set <protocol> allow-invalid-server-cert
next
end
FortiOS 4.0 MR2
config firewall profile-protocol-options
edit <name>
config <protocol>
set options allow-invalid-server-cert
end
next
end
 
Workaround 2
 
Upgrade to FortiOS 4.0 MR2, build 256.
 

 

Related Articles

Technical Tip: How to enable Deep Content Inspection

Technical Note : Importing the FortiGate SSL Proxy certificate in Internet Explorer 8 (IE8) for decr...

Technical Note : FortiGate SSL Inspection - Verifying server certificate validity (includes Japanese...

Troubleshooting Tip : Verifying server certificate on SSL Inspection