Oficiální vyjádření a doporučení výrobce k fixaci možného problému s SSL-Inspekcí na FortiGate.
V případě, že dané postupy nebudou fungovat, doporučujeme založit standardní ticket na Fortinet Support.
__________
Access to Websites blocked using SSL inspection Bug ID 750551
There appears to be an ongoing issue with the certificate chain of a root certificate authority (ISRG Root X1). This issue will affect all vendors of SSL-inspection products whether deep or just certificate inspection is in use. This issue has been reported in our internal ticket 0750551 and we will keep you posted on the developments.
In the meantime, currently the workarounds for this issue are:
Make a backup. At the top right > click your profile > Config > backup
1. Use flow-based web filtering. Note: the firewall policy will need to be in flow-mode as well for this to work. This workaround will not work if deep inspection is on.
2. Alternatively in the SSL Inspection Profile > Invalid Certificate > "Custom" and Allow "Expired Certificate" in the interim. (This should be used with caution).
3. The following temporary change will also work by blocking access to download the expired root CA
config system dns-database
edit "1"
set domain "identrust.com"
config dns-entry
edit 1
set hostname "apps"
set ip 127.0.0.1
next
end
We are sorry for any inconvenience this may have caused and will provide more information as soon as it's available.
For more info, Please checkout the following links:
https://docs.fortinet.com/document/fortigate/6.2.0/new-features/245593/inspection-mode-per-policy
https://kb.fortinet.com/kb/documentLink.do?externalID=FD49028
Further information on the stale certificate: