Informace pro partnery: Možné problémy s SSL-Inspekcí na FortiGate

Domů >> Aktuality >> Informace pro partnery: Možné problémy s SSL-Inspekcí na FortiGate

 

Oficiální vyjádření a doporučení výrobce k fixaci možného problému s SSL-Inspekcí na FortiGate.

V případě, že dané postupy nebudou fungovat, doporučujeme založit standardní ticket na Fortinet Support.

__________

Access to Websites blocked using SSL inspection Bug ID 750551

There appears to be an ongoing issue with the certificate chain of a root certificate authority (ISRG Root X1). This issue will affect all vendors of SSL-inspection products whether deep or just certificate inspection is in use. This issue has been reported in our internal ticket 0750551 and we will keep you posted on the developments.

In the meantime, currently the workarounds for this issue are:

Make a backup. At the top right > click your profile > Config > backup

1. Use flow-based web filtering. Note: the firewall policy will need to be in flow-mode as well for this to work. This workaround will not work if deep inspection is on.

2. Alternatively in the SSL Inspection Profile > Invalid Certificate > "Custom" and Allow "Expired Certificate" in the interim. (This should be used with caution).

3. The following temporary change will also work by blocking access to download the expired root CA

config system dns-database

edit "1"

set domain "identrust.com"

config dns-entry

edit 1

set hostname "apps"

set ip 127.0.0.1

next

end

We are sorry for any inconvenience this may have caused and will provide more information as soon as it's available.

 

For more info, Please checkout the following links:

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/245593/inspection-mode-per-policy

https://kb.fortinet.com/kb/documentLink.do?externalID=FD49028

 

Further information on the stale certificate:

https://marketresearchtelecast.com/lets-encrypt-certificates-stuttering-possible-on-september-30th/164576/