Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Andrew3
New Contributor

Security certificate was issued by Fortigate

Lately, I've been seeing various cert issues while browsing various sites. Even Outlook seems to be having problems with the FortiGate. You can see from the image below that outlook is having problems accepting the cert from the Fortigate. Is the configuration wrong? Is there a step missed in the process? Is there a cookbook on SSL inspection?

 

[image][/image]

1 Solution
andrewbailey
Contributor II

Hi Andrew at TheLinkSource.com,

 

Yes, it sounds like you have a configuration issue (by the way it looks like your image was posted incorrectly and has been removed).

 

It sounds like you have full SSL inspection enabled- in that scenario the Fortigate performs a "man in the middle" inspection and the SSL flow is broken in two. Client to Fortigate, Fortigate to Server. The Fortigate reencrypts the SSL session towards the client with it's own CA cert. End clients then see the Fortigate certificate.

 

So all your systems need to trust the Fortigate CA cert otherwise you will see plenty of certificate warnings. Even if your systems do trust the cert- some serivces will break (particularly anything which uses certificate pinning such as google or youtube).

 

Perhaps you should also have a read of the ssh inspection system of the admin documentation here:-

 

http://docs.fortinet.com/...997/ssl-ssh-inspection

 

The Fortigate documentation is pretty good and should help steer you in the right direction.

 

Kind Regards,

 

 

Andy.

View solution in original post

3 REPLIES 3
andrewbailey
Contributor II

Hi Andrew at TheLinkSource.com,

 

Yes, it sounds like you have a configuration issue (by the way it looks like your image was posted incorrectly and has been removed).

 

It sounds like you have full SSL inspection enabled- in that scenario the Fortigate performs a "man in the middle" inspection and the SSL flow is broken in two. Client to Fortigate, Fortigate to Server. The Fortigate reencrypts the SSL session towards the client with it's own CA cert. End clients then see the Fortigate certificate.

 

So all your systems need to trust the Fortigate CA cert otherwise you will see plenty of certificate warnings. Even if your systems do trust the cert- some serivces will break (particularly anything which uses certificate pinning such as google or youtube).

 

Perhaps you should also have a read of the ssh inspection system of the admin documentation here:-

 

http://docs.fortinet.com/...997/ssl-ssh-inspection

 

The Fortigate documentation is pretty good and should help steer you in the right direction.

 

Kind Regards,

 

 

Andy.

Andrew3

Thank you Andy! This sounds like it. So a trust is all that needs to be setup on the workstations to the FortiGate cert. 

Andrew3
New Contributor

https://forum.fortinet.com/tm.aspx?m=143673

 

According to this forum post, the MitM only occurs on blocked sites when Cert inspection only is on and not DPI. They mention that we can disable the respond msg and not have this pop up anymore. I am testing out this method so that I can still handle other network needs like antivirus and web filtering while allowing other devices to connect.

 

Thank you,

Andrew Adams

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors