Fortinet users were affected globally due to a problem with a root certification authority’s (ISRG Root X1) certificate chain, and users encountered the problem as follows.
The following steps can be applied as a workaround to this problem. Because this solution will create a security vulnerability, the system update that Fortinet will publish on this topic should be followed.
- First of all, the configuration backup of the device is taken.
- The problem rule is detected and the Security Profiles SSL/SSH Inspection menu is navigated to the certificate-inspection in the rule.
- As seen above, we can enter and edit certificate-inspection, but Fortigate will not allow editing. Therefore, if you make this clone, the following arrangement is made on the corresponding copy. The Expired certificates Block option in the image below is Allowed.
- Finally, in the rule that we have problems with, the SSL Inspection option is replaced with the certificate-inspection you made clone.