- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Prevent Certificate Warnings without SSL Deep Insp...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Prevent Certificate Warnings without SSL Deep Inspection (Certificate Inspection only)
I found a great Cookbook article on preventing Certificate Warnings with SSL Deep inspection enabled. It didn't make mention of how to do this without SSL Deep Inspection enabled.
Wondering if it's even possible with L2 firewalls, given that the only IP to associate with a cert is the management IP.
Labels:
- Labels:
-
5.4
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You get those certificate warnings because SSL Deep inspection is man in the middle. This means the connection from yur FGT on to your client will be encrypted with a certficate on the FGT and only the other half is encryted with the original certificate. By default there is only some self signed cert installed on the FGT.
So you either have tp install the Fortinet CAs on your client to enable them to validate the default cert or install a new one that has a CA already known by the browsers. Keep in mind this requires a Certificate that is able to create Certificates (CA) because of man in the middle.
What do you mean without SSL Deep Inspection? The certificate used if you access your FGT via htts? Same issue as above. Install Fortigate CAs or own valid certificate for https.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for jumping in the water so quick, sw! I appreciate the immediate feedback.
To answer your question, what I mean about "without SSL Deep Inspection" is when you go to Policy & Objects>Security Profiles>SSL/SSH Inspection>Inspection Method and do not choose "Full SSL Inspection", but instead use "SSL Certificate Inspection".
I probably should use the term "Full Inspection" instead of "Deep Inspection", even if so much of the documentation has "Deep" used in it. My apologies for the confusion. Thank you for asking for clarification.
This, in conjunction with Flow Based Web Filtering enabled.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically, The preliminary observation we have is that a component of an application is reaching out to a “doubleclick.net” related domain that is being blocked due to advertising. The block itself is not causing an issue that we know of, it is the security settings in the IE based built-in browser in the application that is throwing up errors caused by the self-signed certificate of the WFC not having a valid CRL URL.
We get a Security Alert pop-up that says "Revocation information for the security certificate for this site is not available. Do you want to proceed?"
With just SSL Certificate Inspection and Flow Based Web Filetering enabled, we're not sure how best to address this.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there anything preventing or stopping you from creating custom firewall rule(s) for the application in question, e.g. tailoring the UTM features applied to that connection only?
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply, Mr. Hall.
That is not an option for us, unfortunately. If it were only a few dozen machines with this issue, maybe.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A component of an application is reaching out to a “doubleclick.net” related domain that is being blocked due to the advertising category being blocked as per the WCF. The block itself is not causing an issue that we know of, it is the security settings in the IE based built-in browser in the application that is throwing up errors caused by the self-signed certificate of the WFC not having a valid CRL URL. There is a group policy setting to not look at the CRL, and disabling that keeps the error from populating. However, this is not a solution, as much as it is a workaround. We cannot dismiss CRL's. The only way to get rid of the certificate error page for HTTPS, that we know of, is for all workstations to trust the Fortigate’s Built-in Certificate. An alternative is to disable the HTTPS block page but still block HTTPS, however this violates our Security Plan Policy. We have to have that Block Page. We need to determine if there is a fix for the certificate revocation error without having to trust the local Fortigate built in certificate. Also, if that fix is that we have to use our own CA cert, how do we generate an official certificate for a L2 firewall? The only IP is the management interface so how do you generate the CRS and satisfy the DNS piece?
Related Posts
Labels
-
FortiGate
6,507 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
71 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.