FortiGate SSL Inspection: What Happens with Invalid Certs?
Interesting choices...
💡
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.
Here's an interesting question to ponder: what can a FortiGate do if it needs to perform SSL inspection but the remote web server is trying to use an invalid certificate?
In the config, there's a couple different options:
- Trust & Allow - This basically tells the FortiGate to allow the web server transaction and take the certificate as trusted. From an end user perspective, there wouldn't be any noticeable difference – the user's browser wouldn't complain at all.
- Keep Untrusted & Allow - The difference here is that the FortiGate will allow the connection but not swap out the certificate. It would be up to the end user's browser to device the action to take.
- Block - This action doesn't let the transaction go any further and blocks the activity.
Which one to choose depends on tolerance for risk and desired user behavior. "Block" could be the safest choice by avoiding the whole situation but it obviously impacts availability. On the other extreme, "Trust & Allow" would mask the situation from the user client all together.
For additional information, check this out:
Configuring an SSL/SSH inspection profile | Administration Guide
