DescriptionWhile changing the default 'Fortigate_CA_SSL' on the read only certificate inspection profile, ends up in error : Cannot modify the read-only factory default profiles!
object set operator error, -657 discard the setting.
This article describes how to change the certificate from 'read-only' certificate inspection profile.
SolutionIt is recommended to clone or create a new SSL SSH profile rather than editing a read only profile.
This is only recommended if there was a CA used in this profile in the past and is expired.1) Double-check that you have local certificate "Fortinet_CA_SSL" are in FortiGate config via GUI (see attached screenshot) or via CLI:# config vpn certificate local
# get (it displays only names of all certificate) or # show
2) Create CLI script as a text with the following lines:3) Go to Security Fabric -> Automation and select 'Create New'.
- Provide a Name.- Trigger: Schedule.- Frequency: Daily.- Trigger Hour: 0.- Trigger Minute: 1.
4) Action: CLI Script.
5) Paste the below in Script section:
# conf firewall ssl-ssh-profile
edit certificate-inspection
set caname Fortinet_CA_SSL
end
6) Select 'OK'.
7) Go to Security Fabric. Automation this script will be find under 'Schedule': Simply select it and do 'Test Automation Stitch'.
Then disable it once it is successfully triggered.
8) Check changes ssl-ssh-profile via CLI on the FortiGate
# config firewall ssl-ssh-profile
edit "certificate-inspection"
# get (or # show)
9) Set caname 'Fortinet_CA_SSL' will be visible.
Note.
This is for a very specific test case, consider instead creating a new inspection profile that can be edited as needed, when needed.