Description
This article describes that when users try to access a host, such as an internal web server with an expired certificate, the HTTPS connection might be blocked either by SSL inspection profiles applied on Secure Private Access (SPA) policies or by the Secure Internet Policy (SIA) in the case of an external web host with an expired certificate.
The following log is expected in the SSL Inspection Security Events:
date=2024-03-29 time=11:19:56 id=7351851840192905242 itime="2024-03-29 11:19:56" euid=1068 epid=104 dsteuid=3 dstepid=101 logver=702074782 type="utm" subtype="ssl" level="warning" sessionid=2969888 policyid=42 srcip=10.212.128.3 dstip=104.154.89.105 srcport=49976 dstport=443 proto=6 logid=1700062303 service="SSL" user="test" action="blocked" eventtime=1711736395708532155 srcintfrole="undefined" dstintfrole="wan" srcintf="ssl.root" dstintf="port2" eventtype="ssl-anomaly" profile="outbound" hostname="expired.badssl.com" msg="SSL connection is blocked, certificate-status: expired." tz="-0700" eventsubtype="certificate-anomaly" srcuuid="xyz" dstuuid="xyz" direction=outbound policytype="policy" srccountry="Reserved" dstcountry="United States" poluuid="3c681976-edf7-51ee-a770-123456" devid="FG*******" vd="root" dtime="2024-03-29 11:19:56" itime_t=1711736396 devname="test"
Scope
FortiSASE.
Solution
FortiOS 'Exempt' feature in Deep Packet Inspection cannot be used as a workaround for Expired/Untrusted certificates. It only allows exempting the destination from Security Inspection by UTM profiles such as Antivirus, IPS, Web-Filter, etc.
However, certificate validation will always be performed by the SSL-inspection profile.
As of April 2024, FortiSASE version 1.4.7-v24.1.37 does not provide support for including domains with expired certificates or creating exceptions to allow connections in such cases. A New Feature Request with ID #0799026 is filed and must be referenced when inquiring about its current status with the Fortinet support team or checking the product release notes.
