Hot!Problems with "certificate inspection" on Google.com

Author
slemke
New Member
  • Total Posts : 6
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/03/16 15:09:31
  • Status: offline
2017/04/25 07:07:37 (permalink)
0

Problems with "certificate inspection" on Google.com

Hello,
 
I have a weird problem with webfiltering, certificate inspection (NOT deep inspection) and google.com on a Fortigate 50E, v5.4.4
 
When I try to open google.com I get an ERR_CONNECTION_CLOSED - on several PCs with FF,IE,Chrome - all the same error; other https sites are working.
Again - I do not have the deep inspection configured only the certificate inspection, therefore I do not have a CA root from the FGT installed (then other websites won´t work as well).
 
When I disable either the ssl inspection or webfilter completely it works. I have tested this also with a FGT60D on 5.4.4 - same error. On the 60D with 5.2.10 everything was fine.
 
The configuration is attached below.
Any ideas, any known bugs?
 
Thanks
Sebastian
 
 
config firewall policy
    [...]
    edit 22
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "PC UTM Temp disabled"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set webfilter-profile "default"
        set profile-protocol-options "default"
        set ssl-ssh-profile "certificate-inspection"
        set nat enable
    next
      [...]
end

config webfilter profile
    [...]
    edit "default"
        set comment "default web filtering"
        config ftgd-wf
            config filters
                edit 1
                    set category 2
                    set action warning
                next
                edit 2
                    set category 7
                    set action warning
                next
                edit 3
                    set category 8
                    set action warning
                next
                edit 4
                    set category 9
                    set action warning
                next
                edit 5
                    set category 11
                    set action warning
                next
                edit 6
                    set category 12
                    set action warning
                next
                edit 7
                    set category 13
                    set action warning
                next
                edit 8
                    set category 14
                    set action warning
                next
                edit 9
                    set category 15
                    set action warning
                next
                edit 10
                    set category 16
                    set action warning
                next
                edit 11
                    set action warning
                next
                edit 12
                    set category 57
                    set action warning
                next
                edit 13
                    set category 63
                    set action warning
                next
                edit 14
                    set category 64
                    set action warning
                next
                edit 15
                    set category 65
                    set action warning
                next
                edit 16
                    set category 66
                    set action warning
                next
                edit 17
                    set category 67
                    set action warning
                next
                edit 18
                    set category 26
                    set action block
                next
            end
        end
    next
    [...]
end
config firewall ssl-ssh-profile
    edit "certificate-inspection"
        set comment "SSL handshake inspection."
        config https
            set ports 443
            set status certificate-inspection
        end
        config ftps
            set ports 990
            set status disable
        end
        config imaps
            set ports 993
            set status disable
        end
        config pop3s
            set ports 995
            set status disable
        end
        config smtps
            set ports 465
            set status disable
        end
        set caname "Fortinet_CA_SSLProxy"
        set certname "Fortinet_SSLProxy"
    next
end


#1

6 Replies Related Threads

    hmtay_FTNT
    Gold Member
    • Total Posts : 183
    • Scores: 24
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: Problems with "certificate inspection" on Google.com 2017/04/26 11:27:48 (permalink)
    0
    Hello Sebastian,
     
    You configuration looks fine. Can you send me a packet capture when you try to access the Google site with the issue you are having? I can take a look at the pcap for you to see if the Fortigate tried to intercept the Certificate and potentially other issues. Thanks!
     
    HoMing
    #2
    lolaat
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/21 20:37:34
    • Status: offline
    Re: Problems with "certificate inspection" on Google.com 2017/04/26 22:22:19 (permalink)
    0
    Hello
    did you use forticlient?
     
     
    #3
    slemke
    New Member
    • Total Posts : 6
    • Scores: 2
    • Reward points: 0
    • Joined: 2015/03/16 15:09:31
    • Status: offline
    Re: Problems with "certificate inspection" on Google.com 2017/04/27 00:34:06 (permalink)
    0
    Good Morning,
     
    I will take a packet trace today or tomorrow. I will send you the download link via pm, ok?
    Forticlient is not being used.
     
    Regards,
    Sebastian
    #4
    hmtay_FTNT
    Gold Member
    • Total Posts : 183
    • Scores: 24
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: Problems with "certificate inspection" on Google.com 2017/05/01 07:40:51 (permalink)
    5 (1)
    Posting the discussion from our PM here for references in case other users run into similar problems.
     
    This is a bug that happens when the Web Filter is enabled but does not have either the FortiGuard categories or Static URL Filter enabled. The Web Filter in this configuration has the option "set options ftgd-disable" which disabled the FortiGuard categories. Static URL Filter was not used too. When this unusual combination is used, the FortiGate, in simpler terms, "overscanned" and caused this problem with Google's new signature hashes. 
     
    An immediate fix to this problem is to enable one of either the FortiGuard categories or Static URL Filter. A better solution if none of them are being used is to not enabling Web Filter at all.
     
    HoMing
    post edited by hmtay_FTNT - 2017/05/03 07:01:18
    #5
    Agent 1994
    Bronze Member
    • Total Posts : 40
    • Scores: 3
    • Reward points: 0
    • Joined: 2016/08/03 09:15:51
    • Location: Rosario, Santa Fe, Argentina
    • Status: offline
    Re: Problems with "certificate inspection" on Google.com 2017/09/07 13:03:01 (permalink)
    0
    hmtay
    Posting the discussion from our PM here for references in case other users run into similar problems.
     
    This is a bug that happens when the Web Filter is enabled but does not have either the FortiGuard categories or Static URL Filter enabled. The Web Filter in this configuration has the option "set options ftgd-disable" which disabled the FortiGuard categories. Static URL Filter was not used too. When this unusual combination is used, the FortiGate, in simpler terms, "overscanned" and caused this problem with Google's new signature hashes. 
     
    An immediate fix to this problem is to enable one of either the FortiGuard categories or Static URL Filter. A better solution if none of them are being used is to not enabling Web Filter at all.
     
    HoMing




    HoMing, i believe that i have the same problem at a customer's. It's a 300D cluster running 5.4.4 (upgraded on dec/2016). 
     
    Users are reporting that they can't access Google's sites, i went to the site and captured data using wireshark. 
    On the capture i saw that the connection never got past the "client hello part". From my point of view Google's reply to the TLS hello was an ACK and then a FIN/ACK.
     
    I found your post, created a web filter profile with some categories blocked and all the others set to monitor. Apparently this didn't solve the issue. I'll go there tomorow. 
     
    However, i must ask: all you have to do is assign a web filter profile with fortiguard categories or static url filter set to the policy?
     
    TIA
     
     
    #6
    hmtay_FTNT
    Gold Member
    • Total Posts : 183
    • Scores: 24
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: Problems with "certificate inspection" on Google.com 2017/09/07 15:04:05 (permalink)
    0
    Hello Agent 1994,
     
    Yes, either the FortiGuard category or Static URL filter should do the trick. Your issue might be a different one then. Can you upgrade to 5.4.5? The bug was fixed in 5.4.5. If you can send me the pcap, I can check for you.
     
    HoMing
    #7
    Jump to:
    © 2017 APG vNext Commercial Version 5.5