Description
This article provides a workaround for the situation where SSL Inspection fails when FortiGate verifies the server certificate using the CA certificate which is installed on the FortiGate.
When FortiGate can verify Original Server Certificates by using the CA Certificate which is already installed on the FortiGate, the SSL connection will fail because the FortiGate considers that the certificates are invalid.
Two examples would be:
- FortiManager WebUI provides a server certificate which was signed by Fortinet_CA. This CA Certificate is already installed into any FortiGate, so the issue will occur.
- If the administrator installs another CA Certificate, it would occur if the Original Server Certificate is signed by the CA Certificate.
Workaround
Workaround 1
Enable the allow-invalid-server-cert option. This option can allow any invalid server certificates.
FortiOS 4.0 MR1 and before
config firewall profile
edit <name>
set <protocol> allow-invalid-server-cert
next
end |
FortiOS 4.0 MR2
|
config firewall profile-protocol-options
edit <name>
config <protocol>
set options allow-invalid-server-cert
end
next
end
|
Workaround 2
Upgrade to FortiOS 4.0 MR2, build 256.
Related Articles
Technical Tip: How to enable Deep Content Inspection
Technical Note : Importing the FortiGate SSL Proxy certificate in Internet Explorer 8 (IE8) for decr...
Technical Note : FortiGate SSL Inspection - Verifying server certificate validity (includes Japanese...
Troubleshooting Tip : Verifying server certificate on SSL Inspection
