Last active
January 23, 2025 01:24
-
-
Save githubfoam/e21026171f00b5d49ade2f173f51caaf to your computer and use it in GitHub Desktop.
fortigate - deep inspection cheat sheet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --------------------------------------------------------------------------------------------------------------------------- | |
| #exempting websites from deep inspection like github.com etc | |
| method | |
| #create group | |
| Security Profiles > SSL/SSH Inspection > Profile1 > Addresses > + > Wildcard FQDN Group | |
| #create members | |
| Security Profiles > SSL/SSH Inspection > Profile1 > Addresses > + > Wildcard "*.github.com | |
| method2 | |
| #create group | |
| Security Profiles > Web Rating Overrides > Custom Categories > Create New | |
| #add group | |
| Security Profiles > Web Filter > FortiGuard Category Based Filter > Local Categories | |
| #create members | |
| Security Profiles > Web Rating Overrides > Create New | |
| --------------------------------------------------------------------------------------------------------------------------- | |
| #ChatGPT | |
| Perform Root-Cause-Analysis on this error where SSL inspection is configure by the firewall:Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)'))) - skipping | |
| The root cause of this error is that SSL inspection is configured by the firewall. SSL inspection is a security measure used by some firewalls to inspect and filter encrypted traffic. When SSL inspection is enabled, the firewall intercepts the SSL traffic, decrypts it, inspects it for any threats, and then re-encrypts it before forwarding it to the destination server. | |
| In the case of this error, when the user tries to access the URL "https://pypi.org/simple/pip/" using pip, the firewall intercepts the SSL traffic and tries to re-encrypt it. However, the SSL certificate presented by the firewall is not trusted by the client (pip), leading to the error "SSL: CERTIFICATE_VERIFY_FAILED". | |
| To fix this error, the user can either disable SSL inspection on the firewall, or configure the firewall to use a trusted SSL certificate. Alternatively, the user can configure pip to trust the SSL certificate presented by the firewall. This can be done by adding the certificate to the trusted certificate store used by pip, or by disabling SSL certificate verification in pip (not recommended for security reasons). | |
| --------------------------------------------------------------------------------------------------------------------------- | |
| #ChatGPT | |
| Explain how the user can configure pip to trust the SSL certificate presented by the firewall when this happens:Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)'))) - skipping | |
| If the user is facing the error message "certificate verify failed" while running pip, it could be due to the SSL inspection configured by the firewall. To resolve this issue, the user can configure pip to trust the SSL certificate presented by the firewall by following these steps: | |
| Download the root certificate from the firewall: The user can obtain the root certificate from the firewall administrator or from the certificate issuer. | |
| Save the certificate: Save the certificate in a location where pip can access it. | |
| Specify the path to the certificate: Add the path to the certificate to the pip.conf file. This file is located in the pip directory in the user's home directory. If the file does not exist, the user can create one. | |
| Add the following lines to the pip.conf file: | |
| javascript | |
| [global] | |
| cert = /path/to/certificate.crt | |
| Replace /path/to/certificate.crt with the actual path to the root certificate. | |
| Save the changes to the pip.conf file. | |
| After following these steps, pip should be able to trust the SSL certificate presented by the firewall and the user should be able to install packages using pip | |
| --------------------------------------------------------------------------------------------------------------------------- | |
| #ChatGPT | |
| explain how to troubleshoot Could not fetch URL https://pypi.org/simple/scapy/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/scapy/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)'))) - skipping | |
| This error usually occurs when the SSL certificate presented by the server cannot be verified by the client due to a lack of trust. To troubleshoot this issue, you can follow the following steps: | |
| Check if the server's SSL certificate has expired or is revoked: You can verify this by visiting the website in a web browser and checking the SSL certificate information. If the SSL certificate is expired or revoked, you will need to contact the website owner to renew or replace the certificate. | |
| Check if the system clock is correct: If the system clock on your machine is incorrect, it can cause SSL certificate verification to fail. Ensure that your system clock is set correctly and synchronized with a reliable time source. | |
| Check if SSL inspection is enabled by the firewall: Some firewalls perform SSL inspection by intercepting and inspecting SSL traffic. This can cause issues with SSL certificate verification. You can try disabling SSL inspection on the firewall temporarily to see if it resolves the issue. | |
| Configure pip to trust the SSL certificate presented by the server: If the SSL certificate presented by the server is valid, but your client does not trust it, you can configure pip to trust the certificate. This can be done by adding the server's SSL certificate to the trusted certificate store on your machine or by configuring pip to ignore SSL certificate verification. | |
| Update the CA bundle used by Python: If the CA bundle used by Python is outdated, it may not trust the SSL certificate presented by the server. You can update the CA bundle by downloading the latest version from the certifi package or by updating the operating system's root CA bundle. | |
| how to Enable SSL verification with pip in pycharm | |
| --------------------------------------------------------------------------------------------------------------------------- | |
| #ChatGPT | |
| Enabling SSL verification with pip in PyCharm involves setting the REQUESTS_CA_BUNDLE environment variable to point to the location of the certificate authority (CA) bundle file. Here's how to do it: | |
| Open your PyCharm project and go to the Settings menu by clicking File > Settings on Windows/Linux or PyCharm > Preferences on Mac. | |
| In the Settings dialog, navigate to Build, Execution, Deployment > Console > Python Console. | |
| In the Environment variables section, click the + button to add a new environment variable. | |
| Enter REQUESTS_CA_BUNDLE as the name and the path to your CA bundle file as the value. For example, C:\Python39\Lib\site-packages\certifi\cacert.pem on Windows or /usr/local/etc/openssl/cert.pem on Mac/Linux. | |
| Click OK to save the environment variable and close the dialog. | |
| With the REQUESTS_CA_BUNDLE environment variable set, pip should now be able to verify SSL certificates when connecting to servers. | |
| --------------------------------------------------------------------------------------------------------------------------- | |
| #ChatGPT | |
| Disable SSL verification: Although not recommended, you can also disable SSL verification by using the --trusted-host flag with pip. For example, you can run the following command to install scapy: | |
| pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org scapy | |
| Note that this solution should only be used if you trust the server and have no other options. | |
| --------------------------------------------------------------------------------------------------------------------------- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment