Hi,
I'm wondering if anyone else has upgraded their Fortigate 70D FWs to 5.6 yet? Did it go well? I did a couple of days ago, and well. Named Address Objects seemed to have stopped working randomly(Also on one of my 60D WIFi) on an already well working and well established IPSec tunnels, hat according to support I had to revert back to static subnets in each Phase 2 selector group instead of named groups of addresses. Now, for some unknown reason, every policy on the 70D now has a forced SSL Cert inspection that is raising havoc at this remote site's and their HTTPS certs. I cannot remove this feature from any on my policies. I'm going to have to call support again, however I wanted to post this here to see if anyone else has had any of these issues yet. Will try and post back what support says. I've attached a quick screen shot of the message I get after DE-Selecting the SSL inspection object then applying ok. Strange. I have a third site with a 70D that I've also upgraded to firmware to 5.6 that's not having any of these concerns.
Any thoughts?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Chris,
>>Now, for some unknown reason, every policy on the 70D now has a forced SSL Cert inspection that is raising havoc at this remote site's and their HTTPS certs.
In your image you upload, what the Fortigate is forcing you to do is to either select at least the default "certificate-inspection" or "deep-inspection" profile. If you do not want the Fortigate to intercept and modify the SSL session, you can select "certificate-inspection". This only scans the SNI and hostname on the Client Hello or Certificate packets.
If you do not enable at least "certificate-inspection", the Fortigate will not scan the SSL sessions and profiles like Web Filter or Application Control will not work correctly.
HoMing
hmtay wrote:Hi Chris,
>>Now, for some unknown reason, every policy on the 70D now has a forced SSL Cert inspection that is raising havoc at this remote site's and their HTTPS certs.
In your image you upload, what the Fortigate is forcing you to do is to either select at least the default "certificate-inspection" or "deep-inspection" profile. If you do not want the Fortigate to intercept and modify the SSL session, you can select "certificate-inspection". This only scans the SNI and hostname on the Client Hello or Certificate packets.
If you do not enable at least "certificate-inspection", the Fortigate will not scan the SSL sessions and profiles like Web Filter or Application Control will not work correctly.
HoMing
Does 5.6 force some type of certificate inspection then? Looking at a VM for testing thats what it seems unless its in the CLI.
>>Does 5.6 force some type of certificate inspection then? Looking at a VM for testing thats what it seems unless its in the CLI.
Yes. FortiOS 5.6 will automatically enable the most basic certificate-inspection if any module that requires scanning the SSL sessions are enabled like Application Control or Web Filter.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.