This came to my attention over the weekend when a customer reached out and mentioned that they had called TAC because their UTM policy was blocking certain sites.
The issue stems from the following configuration, FortiGate policy in proxy mode (6.2.x and above) or FortiGate in proxy mode (earlier versions) with SSL inspection applied - even if it's certificate based.
Based on the detail provided, it is due to the Sectigo AddTrust External Root CA expiring on May 30th 2020. It's my understanding that a permanent solution is being worked. However in the meantime to work around this issue you have two options:
If you're running FortiOS 6.2.x or above, you can place the policy in Flow based mode. Just remember to put it back in proxy once this is resolved.
If your running a version earlier than 6.2.x, you can browse to Security Profiles > SSL/SSH inspection > allow invalid certificates. Please remember to set this back once the issue is resolved
Thank you for reading, I hope this helps.
Comments