Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ChrisRX
New Contributor

Firmware 5.6 Fortigate 70D - Broken Named Address Objects and Forced SSL Inspection.

Hi,

 

I'm wondering if anyone else has upgraded their Fortigate 70D FWs to 5.6 yet? Did it go well? I did a couple of days ago, and well. Named Address Objects seemed to have stopped working randomly(Also on one of my 60D WIFi) on an already well working and well established IPSec tunnels, hat according to support I had to revert back to static subnets in each Phase 2 selector group instead of named groups of addresses. Now, for some unknown reason, every policy on the 70D now has a forced SSL Cert inspection that is raising havoc at this remote site's and their HTTPS certs. I cannot remove this feature from any on my policies. I'm going to have to call support again, however I wanted to post this here to see if anyone else has had any of these issues yet. Will try and post back what support says. I've attached a quick screen shot of the message I get after DE-Selecting the SSL inspection object then applying ok. Strange. I have a third site with a 70D that I've also upgraded to firmware to 5.6 that's not having any of these concerns.

 

Any thoughts?

3 REPLIES 3
hmtay_FTNT
Staff
Staff

Hi Chris,

 

>>Now, for some unknown reason, every policy on the 70D now has a forced SSL Cert inspection that is raising havoc at this remote site's and their HTTPS certs.

 

In your image you upload, what the Fortigate is forcing you to do is to either select at least the default "certificate-inspection" or "deep-inspection" profile. If you do not want the Fortigate to intercept and modify the SSL session, you can select "certificate-inspection". This only scans the SNI and hostname on the Client Hello or Certificate packets.

 

If you do not enable at least "certificate-inspection", the Fortigate will not scan the SSL sessions and profiles like Web Filter or Application Control will not work correctly.

 

HoMing

EMES

hmtay wrote:

Hi Chris,

 

>>Now, for some unknown reason, every policy on the 70D now has a forced SSL Cert inspection that is raising havoc at this remote site's and their HTTPS certs.

 

In your image you upload, what the Fortigate is forcing you to do is to either select at least the default "certificate-inspection" or "deep-inspection" profile. If you do not want the Fortigate to intercept and modify the SSL session, you can select "certificate-inspection". This only scans the SNI and hostname on the Client Hello or Certificate packets.

 

If you do not enable at least "certificate-inspection", the Fortigate will not scan the SSL sessions and profiles like Web Filter or Application Control will not work correctly.

 

HoMing

 

Does 5.6 force some type of certificate inspection then? Looking at a VM for testing thats what it seems unless its in the CLI.

hmtay_FTNT

>>Does 5.6 force some type of certificate inspection then? Looking at a VM for testing thats what it seems unless its in the CLI.

 

Yes. FortiOS 5.6 will automatically enable the most basic certificate-inspection if any module that requires scanning the SSL sessions are enabled like Application Control or Web Filter.