|
Currently, FortiGate does not support relaying the Client Certificate to the web server and at the same time performing Deep inspection of the SSL/TLS session in either of the following deep inspection modes.
Configuring Deep Inspection profile on FortiGate:
# config firewall ssl-ssh-profile
edit <Profile-name>
server-cert-mode ?
re-sign <----- Multiple Clients Connecting to Multiple Servers.
or
replace <----- Protect an SSL server.
# config https
set ports 443
set client-certificate ?
bypass <----- Bypass the session.
inspect <----- Inspect the session.
block <----- Block the session.
end
- When client-certificate setting is set to 'bypass', FortiGate will exempt that session from SSL deep inspection and pass the client certificate to the server for SSL/TLS negotiation. Deep inspection is not performed in this case.
- When client-certificate setting is set to 'inspect', FortiGate performs deep inspection but won’t send the Client Certificate to Server.
Thus, it could lead to SSL/TLS negotiation issues and connection drop. FortiOS does not support re-signing Client Certificates via deep inspection configuration. Only supported by FortiProxy.
- When client-certificate setting is set to 'block', FortiGate will block the session when it receives the client-certificate during SSL/TLS negotiation.
Alternate Solution:
FortiGate supports client certificate authentication used in mutual Transport Layer Security (mTLS) communication between a client and server.
Related document:
https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/789422/mtls-client-certifica...
|
