FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 194517
Description
When SSL content inspection for HTTPS (deep scan) is enabled on a FortiGate, the web browsers will usually prompt a warning message if the Certificate Authority (CA) for the default certificate used by the Fortigate SSL inspection  is not known by the browser.  The default certificate in this case is Fortinet_CA_SSLProxy.

Internet Explorer will display the warning page :

rmetzger_FD32404_IE8_certificate-warning_.jpg


If the user clicks on "Continue to this website (not recommended)", the certificate will be temporarily accepted for this connection, but the same message will be prompted at the next connection or when accessing any other HTTPS  site.

This procedure that follows explains how to permanently store the Fortigate root CA in Internet Explorer to avoid any further warning message.

Solution
1. Download the FortiGate CA from the Web Based Manager (GUI)

1.1.  Go to System --> Certificates --> Local Certificates
1.2.  Select Fortinet_CA_SSLProxy (this applies to another certificate that needs to be used  for SSL inspection)
1.3.  Click on Download
1.4.  Save the file Fortinet_CA_SSLProxy.cer (or any other related CA file if another certificate needs to be used)

=========== 1.1 to 1.3 ===========

rmetzger_FD32404_download_FGT_CA.jpg

=========== 1.4 ===========

rmetzger_FD32404_save_cer.jpg



2. Install the root CA in the trusted root certification list of Internet Explorer 8

2.1. From an Internet Explorer 8 window, go to Tools --> Internet Options --> Content --> Certificates --> Trusted Root Certification Authorities
2.2. Click on Import and select the .cer file saved previously ; keep all other default options and accept the new Fortigate CA installation
2.3. Verify in the Trusted Root Certification Authorities list that the new root certificate is present
2.4  Check that the IE8 warning message is no longer displayed when accessing an HTTPS Web site

=========== 2.1  ===========

rmetzger_FD32404_path_to_certificates.jpg

=========== 2.2  ===========

rmetzger_FD32404_import_root_CA_in_IE.jpg

===========

rmetzger_FD32404_FGT_CA_security_warning.jpg

=========== 2.3  ===========

rmetzger_FD32404_verify_root_CA.jpg

Related Articles

Technical Note: FortiGate HTTPS web URL filtering and HTTPS FortiGuard web filtering

Technical Tip : SSL Inspection fails when FortiGate verifies the server certificate by its CA certif...

Troubleshooting Tip : Verifying server certificate on SSL Inspection

Contributors