Google Earth not working with Fortigate

user · ‎02-19-2020

When launch Google Earth, get message that:

Security certificate for play.google.com is not trusted!

With three options:

[ol]

Proceed Anyway (Unsafe)

Show Details

Reject Connection.[/ol]

Company IT mentioned to click 1 but it says it is unsafe. Why is fortigate making Google Earth unsafe? Does this mean Fortigate people are break into my Google Earth and that is why it is unsafe? OR is Fortigate install spyware and Telemery like Windows in this security certificate?

Dave_Hall · ‎02-19-2020

Most sites that run or hosted via Google (including play.google.com) uses Google's wildcard security certificate. If the fgt is using full SSL (e.g. deep packet) inspection, you will get a security certificate warning because the fgt plays a man-in-the-middle by substituting it's own security certificate in place of the sites own security certification in order to peek at the encrypted traffic. This is pure speculation on my part - you need to take a look at the warning message to see what the error is - it should include what the name is on the security certificate itself.

The pic below show what the real cert should look like.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

user · ‎02-20-2020

If view the details, it shows this (cannnot get screenshot to load here) Type only a few lines only:

Certificate error(s":

The root certificate of the certificate is self signed and untrusted.

Serial Number: 60:15:1a:b3c5ef:1e:18

support@fortigate.com

user · ‎02-21-2020

Here I finally got screenshot to work on Vbox. It makes PNG and your site does not allow PNG. Had to uploaded to another site to get it to work.

[image]https://forum.fortinet.com/ upload image[/image]

emnoc · ‎02-21-2020

Your doing SSL inspection you need to fix your clients by insert and trusting the Cert forger who's the Foprtigate. Nothing is wrong with google earth, fwiw

Ken Felix

PCNSE

NSE

StrongSwan

Dave_Hall · ‎02-21-2020

Hi user.

Your screenshot and your last post shows the Fortigate on your company network appears to be configured for full SSL inspection, and as such requires (ideally) a proper security certificate be installed on your computer's web browser. There are other workaround or remedies for this, of course you can choose to accept the one presented to you (assume it is the fortigate security certificate) but you should follow whatever advise given to you by your network or IT admin.

f you are not in charge or manage your company's fortigate firewall, I suggest you speak to the person who is in charge and let them know you can't download Google Earth because of the company's fortigate firewall settings.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

user · ‎02-21-2020

Person said to ignore it and click Proceed Anyway (Unsafe). This is why I am looking for a solution for it since they are no concern about. It says that it is unsafe which makes me worried. How to I bypass and get the certificated installed correctly so that it is save rather than unsafe.

Dave_Hall · ‎02-21-2020

Follow your network admin's lead - do keep in mind that if you choose to proceed there should be an option to add the site's security certificate to your browser - this should be the Fortinet security certificate...but do consult your network admin on this.

I have already provided a link above to understand what is happening and included in that link are "workarounds", including detailed sections:

- Preventing certificate warnings (CA-signed certificate) - Preventing certificate warnings (default certificate) - Preventing certificate warnings (self-signed) - Why you should use SSL inspection The likely best option in your case is to simply ask your network admin to provide and/or install the Foritgate security certificate in your web browser.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

user · ‎02-26-2020

After clicking Proceed Anyway (Unsafe), there is no option to add the site's certificated. Admin says that everything is fine and use the unsafe option only.

Is there any other way to make it safe if admin does not want to import the certificated or does it need a bypass method?

user · ‎06-11-2020

Ok. I found a bypass method to get around foritgate. Thanks for trying but had to solve it my self.