AnsweredHot!Security certificate was issued by Fortigate

Author
Andrew@TheLinkSource.com
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/19 06:27:42
  • Status: offline
2021/03/19 06:34:43 (permalink)
0

Security certificate was issued by Fortigate

Lately, I've been seeing various cert issues while browsing various sites. Even Outlook seems to be having problems with the FortiGate. You can see from the image below that outlook is having problems accepting the cert from the Fortigate. Is the configuration wrong? Is there a step missed in the process? Is there a cookbook on SSL inspection?
 
[image][/image]
post edited by Admin_FTNT - 2021/03/19 06:49:57
#1
andrewbailey
Silver Member
  • Total Posts : 102
  • Scores: 16
  • Reward points: 0
  • Joined: 2016/06/27 11:21:22
  • Status: offline
Re: Security certificate was issued by Fortigate 2021/03/19 08:45:32 (permalink) ☼ Best Answerby Andrew@TheLinkSource.com 2021/03/19 11:17:49
5 (1)
Hi Andrew at TheLinkSource.com,
 
Yes, it sounds like you have a configuration issue (by the way it looks like your image was posted incorrectly and has been removed).
 
It sounds like you have full SSL inspection enabled- in that scenario the Fortigate performs a "man in the middle" inspection and the SSL flow is broken in two. Client to Fortigate, Fortigate to Server. The Fortigate reencrypts the SSL session towards the client with it's own CA cert. End clients then see the Fortigate certificate.
 
So all your systems need to trust the Fortigate CA cert otherwise you will see plenty of certificate warnings. Even if your systems do trust the cert- some serivces will break (particularly anything which uses certificate pinning such as google or youtube).
 
Perhaps you should also have a read of the ssh inspection system of the admin documentation here:-
 
http://docs.fortinet.com/...997/ssl-ssh-inspection
 
The Fortigate documentation is pretty good and should help steer you in the right direction.
 
Kind Regards,
 
 
Andy.
post edited by andrewbailey - 2021/03/19 08:46:34
#2
Andrew@TheLinkSource.com
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/19 06:27:42
  • Status: offline
Re: Security certificate was issued by Fortigate 2021/03/19 11:26:59 (permalink)
0
Thank you Andy! This sounds like it. So a trust is all that needs to be setup on the workstations to the FortiGate cert. 
#3
Andrew@TheLinkSource.com
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/03/19 06:27:42
  • Status: offline
Re: Security certificate was issued by Fortigate 2021/03/28 10:43:16 (permalink)
0
https://forum.fortinet.com/tm.aspx?m=143673
 
According to this forum post, the MitM only occurs on blocked sites when Cert inspection only is on and not DPI. They mention that we can disable the respond msg and not have this pop up anymore. I am testing out this method so that I can still handle other network needs like antivirus and web filtering while allowing other devices to connect.
 
Thank you,
Andrew Adams
#4
Jump to:
© 2021 APG vNext Commercial Version 5.5