FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Kenichi_Terashita_FT

Description
This article describes how to observe and troubleshoot verifying server certificate on SSL Inspection.
Solution

How to verify the SSL Inspection transaction and the result

You can verify the part of SSL Inspection transaction by diagnose command. After you enable this debug command, verify a server certificate on FortiGate by accessing to a SSL server.
# diagnose debug application fnbamd -1
# diagnose debug enable

Start auth_cert:
  groups(0):
  ip:
  cert subject: C = CA, ST = British Columbia, L = Burnaby, O = Fortinet Technologies Canada Inc., OU = Customer Support, CN = support.fortinet.com
  cert  issuer: C = US, O = "Entrust, Inc.", OU = AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE, OU = CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY, OU = www.entrust.net/CPS is incorporated by reference, OU = "(c) 2008 Entrust, Inc.", CN = Entrust Cert
auth_cert succeed: group='', user=''

The "auth_cert succeed" result is given at the end of this output.  In this example it shows that this certificate is valid.

# diagnose debug application fnbamd -1
# diagnose debug enable

Start auth_cert:
  groups(0):
  ip:
  cert subject: OU = Test dept, CN = test.example.com
  cert  issuer: OU = Test dept, CN = test.example.com
client cert expired
quick_check_cert failed

In this case the certificate has already expired.  The FortiGate determines that this is an invalid certificate and will fail the SSL session.


How to execute some built-in debug commands for SSL Inspection

A help text can be displayed by entering '0' at the end of the command line.
# diagnose test application ssl 0

SSL Proxy Test Usage

   1: Dump Memory Usage
   2: Drop all connections
   3: Display PID
   4: Display connection stat
   5: Toggle AV Bypass mode
  44: Display info per connection
  11: Display connection TTL list
  12: Clear the SSL certificate cache
  13: Clear the SSL session cache
  99: Restart proxy


How to verifying the Certificate by CA Certificate on openssl command.

You can verify the certificate's validity by CA certificate.

Example 1: Verifying FortiManager WebUI Certificate by Fortinet_CA
$ openssl verify -CAfile Fortinet_CA.cer fmg.fortinet.com.pem
fmg.fortinet.com.pem: OK
* This case shows FortiManager WebUI Certificate is certified by Fortinet_CA.


Example 2: Verifying FortiGate WebUI Certificate by Fortinet_CA
$ openssl verify -CAfile Fortinet_CA.cer FG200B3909600933.crt
FG200B3909600933.crt: /CN=FG200B3909600933/O=Fortinet Ltd.
error 18 at 0 depth lookup:self signed certificate
OK
* This case shows FortiGate WebUI Certificate was self-signed certificate (error 18). It doesn't need to be verified by any other CA Certificates, so it output OK result.

The error codes can be seen by man verify or by referring to http://www.freebsd.org/cgi/man.cgi?query=verify

 

Related Articles

Technical Tip : SSL Inspection fails when FortiGate verifies the server certificate by its CA certif...

Technical Tip: How to enable Deep Content Inspection

Technical Note : Importing the FortiGate SSL Proxy certificate in Internet Explorer 8 (IE8) for decr...

Technical Note : FortiGate SSL Inspection - Verifying server certificate validity (includes Japanese...