Fortinet white logo
Fortinet white logo

Administration Guide

Certificate inspection

Certificate inspection

FortiGate supports certificate inspection. The default configuration has a built-in certificate-inspection profile which you can use directly. When you use certificate inspection, the FortiGate only inspects the headers up to the SSL/TLS layer.

If you do not want to deep scan for privacy reasons but you want to control web site access, you can use certificate-inspection.

Note

When a firewall policy is in flow-based inspection mode, SSL Certificate Inspection does not validate the certificate. Untrusted SSL certificates and Server Certificate SNI checks are not performed. If these features are needed, use proxy‑based inspection mode.

Replacement messages for HTTPS connections

When using certificate inspection in a firewall policy, a user will encounter a block page served in HTTPS when accessing an HTTPS web page that triggers a replacement message.

The replacement message can display for many reasons, such as a page being blocked by a web filter category, a page displaying a warning for a web filter category, a page requiring authentication, and so on. If you inspect the certificate, it shows that the replacement page is signed by the FortiGate CA.

For your clients to no longer see a warning message for an invalid certificate, install the respective CA certificate in the client's certificate store.

To download the CA certificate:
  1. Go to Security Profiles > SSL/SSH Inspection.

  2. Edit the SSL/SSH inspection profile that is being used in the firewall policy.

  3. Beside the CA Certificate field, click Download.

  4. Share and install this certificate on the client endpoints devices.

By default, the SSL/SSH inspection profile uses the Fortinet_CA_SSL certificate. You can customize this certificate by changing the selection in the CA Certificate field to another certificate in the FortiGate's certificate store.

Inspect non-standard HTTPS ports

The built-in certificate-inspection profile is read-only and only listens on port 443. If you want to make changes, you must create a new certificate inspection profile.

If you know the non-standard port that the web server uses, such as port 8443, you can add this port to the HTTPS field.

To add a port to the inspection profile in the GUI:
  1. Go to Security Profiles > SSL/SSH Inspection.

  2. Create a new profile, or clone the default profile.

  3. If you do no know what port is used in the HTTPS web server, under Protocol Port Mappingenable Inspect All Ports.

    If you know the port, such as port 8443, then set HTTPS to 443,8443.

  4. Configure the remaining setting as needed.

  5. Click OK.

Common options

Invalid SSL certificates can be blocked, allowed, or a different actions can be configured for the different invalid certificates types. See Configuring an SSL/SSH inspection profile.

Note

When a firewall policy is in flow-based inspection mode, SSL Certificate Inspection does not validate the certificate. Expired certificates and Revoked certificates checks are not performed, and the Validation timed-out certificates and Validation failed certificates actions do not apply. If these features are needed, use proxy‑based inspection mode.

Certificate inspection

Certificate inspection

FortiGate supports certificate inspection. The default configuration has a built-in certificate-inspection profile which you can use directly. When you use certificate inspection, the FortiGate only inspects the headers up to the SSL/TLS layer.

If you do not want to deep scan for privacy reasons but you want to control web site access, you can use certificate-inspection.

Note

When a firewall policy is in flow-based inspection mode, SSL Certificate Inspection does not validate the certificate. Untrusted SSL certificates and Server Certificate SNI checks are not performed. If these features are needed, use proxy‑based inspection mode.

Replacement messages for HTTPS connections

When using certificate inspection in a firewall policy, a user will encounter a block page served in HTTPS when accessing an HTTPS web page that triggers a replacement message.

The replacement message can display for many reasons, such as a page being blocked by a web filter category, a page displaying a warning for a web filter category, a page requiring authentication, and so on. If you inspect the certificate, it shows that the replacement page is signed by the FortiGate CA.

For your clients to no longer see a warning message for an invalid certificate, install the respective CA certificate in the client's certificate store.

To download the CA certificate:
  1. Go to Security Profiles > SSL/SSH Inspection.

  2. Edit the SSL/SSH inspection profile that is being used in the firewall policy.

  3. Beside the CA Certificate field, click Download.

  4. Share and install this certificate on the client endpoints devices.

By default, the SSL/SSH inspection profile uses the Fortinet_CA_SSL certificate. You can customize this certificate by changing the selection in the CA Certificate field to another certificate in the FortiGate's certificate store.

Inspect non-standard HTTPS ports

The built-in certificate-inspection profile is read-only and only listens on port 443. If you want to make changes, you must create a new certificate inspection profile.

If you know the non-standard port that the web server uses, such as port 8443, you can add this port to the HTTPS field.

To add a port to the inspection profile in the GUI:
  1. Go to Security Profiles > SSL/SSH Inspection.

  2. Create a new profile, or clone the default profile.

  3. If you do no know what port is used in the HTTPS web server, under Protocol Port Mappingenable Inspect All Ports.

    If you know the port, such as port 8443, then set HTTPS to 443,8443.

  4. Configure the remaining setting as needed.

  5. Click OK.

Common options

Invalid SSL certificates can be blocked, allowed, or a different actions can be configured for the different invalid certificates types. See Configuring an SSL/SSH inspection profile.

Note

When a firewall policy is in flow-based inspection mode, SSL Certificate Inspection does not validate the certificate. Expired certificates and Revoked certificates checks are not performed, and the Validation timed-out certificates and Validation failed certificates actions do not apply. If these features are needed, use proxy‑based inspection mode.