Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TIBarigui
New Contributor II

FortiOS and SHA256

Hello!

 

Has anyone found any documentation on Fortigate's documentation sying anithing about compatibilities between Fortigate and SHA256? We have a 240D Fortigate in 5.2.3 version.

 

With the deprecation of sha1 certificates, I'm now having problems with my Deep Inspection. Strange thing that even using an sha256 certificate, the Fortigate presents a sha1 certificate to the browser.

 

I opened a ticket with the support and they said FortiOs is compatible with sha256 since v5.2.6, bur I couldn't find any mention to that in documentation from 5.2.6 to 5.2.8.

 

Any hints?

 

Thanks

10 REPLIES 10
MikePruett
Valued Contributor

Are you pushing a Sha256 cert to the Gate and then using that as your inspection cert?

 

Also, you probably want to push your firmware up to the 5.2.10 range (using proper upgrade path of course). There are some security bugs in 5.2.3 you will want to mitigate.

Mike Pruett Fortinet GURU | Fortinet Training Videos
TIBarigui

Mike,

 

Thanks for your response.

 

You're right, I'm using a sha256 cert from my internal CA to use as my inspection cert.

 

TAC told me that I should upgrade my OS from at least 5.2.6.. I was wondering if that is true because there is no note about this matter in the changelog.

 

I'll try the upgrade and then I inform the results.

mattnotley2004

TIBarigui wrote:

Mike,

 

Thanks for your response.

 

You're right, I'm using a sha256 cert from my internal CA to use as my inspection cert.

 

TAC told me that I should upgrade my OS from at least 5.2.6.. I was wondering if that is true because there is no note about this matter in the changelog.

 

I'll try the upgrade and then I inform the results.

We are having deep inspection issues too since the deprecation of SHA1. Has only started to hit us recently on a small group of Chromebooks running Chrome OS Beta (v57), which are displaying "Weak Signature Algorithm" warnings on all HTTPS sites using the newer certificates (not just Google sites). Production devices running Chrome OS 56 and lower are fine.

 

If the upgrades resolves your deep inspection problem, we will follow suit.

TIBarigui

Hey Guys!

 

We did the update yesterday night from 5.2.3 to 5.2.10, but have seen a little of improvements. At least at our problem.

 

1) Now the IE loads my certificate correctly with sha256 algorithm. Thanks MikePruet to that!

 

2) Our problems with inspection keeps the same. Actually the big problem here is with Google. I have 3 different behaviours with the 3 most used browsers (in flow-mode WebFilter):

 

a) IE loads www.google.com (or .br in my case) with my certificate and SafeSearch, but when I hit the search, he gives me a block page saying "the url is banned". Strange thing that it is not the default Web blocked page. It is like Fortigate would have been blocking me by another engine. I have attached the print.

 

b) Google Chrome doesn't even load the www.google.com page. Says the page took to much to respond. I printed the error as well.

 

c) Firefox loads the Google's page and do the search, but without my certificate, and therefore no SafeSearch. And yes, it has my certificate added it should be.

 

All that said, guess what? In Proxy mode all of them works perfectly!

 

My ticket is still opened. Just gave them some feedback of this tests.

 

Best Regards,

 

Luiz

TIBarigui
New Contributor II

Well, aparently the Deep Inspection does not work with webfilter in flow-mode. That is the information support gave me.

 

Nice thing that I couldn't find any mention to that in Fortinet documentation, as usual. What I DID found was a document for FortiOS 5.2.8 that says it DOES WORK.

 

http://docs.fortinet.com/uploaded/files/2181/fortigate-security-profiles-guide-528.pdf

 

1. Go to Security Profiles > Web Filter. 2. Determine if you wish to create a new profile or edit an existing one. 3. Select an Inspection Mode. 4. If you are using FortiGuard Categories, enable the FortiGuard Categories, select the categories and select the action to be performed. 5. Configure any Quotas needed. (Proxy Mode) 6. Allow blocked override if required.(Proxy Mode) 7. Set up Safe Search settings and/or YouTube Education settings. (Proxy & Flow-based) 8. Configure Static URL Settings. (All Modes) 9. Configure Rating Options. (All Modes) 10. Configure Proxy Options. 11. Save the filter and web filter profile. 12. To complete the configuration, you need to select the security policy controlling the network traffic you want to restrict. Then, in the security policy, enable Web Filter and select the appropriate web filter profile from the list.

mattnotley2004

I was concerned when you mentioned deep inspection doesn't work with Flow Based, however... we have upgraded from 5.2.3 to 5.2.10 this morning and everything works perfectly now - no more certificate errors on Chromebooks, no cert errors on Google sites, and no errors on other SSL sites (and we're using flow based policies).

 

Have tried in multiple browsers on our Windows machines as well. All OK now.

 

I should also note, we are not using the default Fortigate certificate. We generated our own SHA256 cert with an RSA of 2048 bits using OpenSSL, imported into FortiGate 600C, and added this our policies deploying to certificate stores on our devices.

 

We upgraded as per the recommended path 5.2.3 > 5.2.5 > 5.2.7 > 5.2.9 > 5.2.10

TIBarigui

mattnotley2004 ,

 

Sorry, now I've seen I commit an error in my last message. Actually, what the support told me is the Safe Search does not work with flow-based mode.

 

We did same upgrade as you did and yes, Deep Inspection is working fine on IE, Chrome and Firefox. No more messages/warnings in the browser's console.

 

The **** is www.google.com. In flow-based it does not load the firts page in Google Chrome. Using IE, it loads the home page of google but gives me an error when I type any search.

Seems like Google does not like one snipping their connections.

mattnotley2004

Hi TIBarigui,

 

Interesting, will try safe search on IE.

Another thing you could try, we found this helped not just with Chromebooks but our Windows clients too:

 

https://support.google.com/chrome/a/answer/6334001?hl=en

 

There are certain google domains which must be excempted, otherwise will throw errors no matter what we do. Two of them are "safebrowsing-cache.google.com" and "safebrowsing.google.com". We have added the full list to a new "Whitelist" category in web rating override. Then added this category under Exempt from SSL Inspection.

TIBarigui

Hey Matt,

 

We had to override some Google's URL too, but I didn't seen this page before. Thank you so much for that!

 

Well, another thing I just realized now is that Safe Search is unavailable through Flow-Based mode. That said, it would be impossible for you to test. Sorry.

Labels
Top Kudoed Authors