FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mzainuddinahm
Article Id 190137
Description
While changing the default 'Fortigate_CA_SSL' on the read only certificate inspection profile, ends up in error : Cannot modify the read-only factory default profiles!
object set operator error, -657 discard the setting.

This article describes how to change the certificate from 'read-only' certificate inspection profile.

Solution
It is recommended to clone or create a new SSL SSH profile rather than editing a read only profile.
This is only recommended if there was a CA used in this profile in the past and is expired.


1) Double-check that you have local certificate "Fortinet_CA_SSL" are in FortiGate config via GUI (see attached screenshot) or via CLI:
# config vpn certificate local
# get (it displays only names of all certificate) or # show
2) Create CLI script as a text with the following lines:

3) Go to Security Fabric -> Automation and select 'Create New'.
- Provide a Name.
- Trigger: Schedule.
- Frequency: Daily.
- Trigger Hour: 0.
- Trigger Minute: 1.





4) Action: CLI Script.

5) Paste the below in Script section:
# conf firewall ssl-ssh-profile
    edit certificate-inspection
        set caname Fortinet_CA_SSL
    end
6) Select 'OK'.




7) Go to Security Fabric. Automation this script will be find under 'Schedule': Simply select it and do 'Test Automation Stitch'.
Then disable it once it is successfully triggered.





8) Check changes ssl-ssh-profile via CLI on the FortiGate
# config firewall ssl-ssh-profile
    edit "certificate-inspection"
# get (or # show)
9) Set caname 'Fortinet_CA_SSL' will be visible.

Note.
This is for a very specific test case, consider instead creating a new inspection profile that can be edited as needed, when needed.


Contributors