I have a web portal that has a cert designated to the FQDN.

If you access this portal via IP, it will load with an invalid cert.

For reasons, it will need to remain this way - as we cannot block IP access, or turn off the portal.

My question, in short, is what are the risks of an invalid cert?

My understanding is that without a proper certificate, connections to this site over its IP address will be unencrypted. This would leave the device accessing the site at risk of data leaking via someone on the same net sniffing their traffic. That said, the site itself would remain otherwise secure and restricted.

notes: All users access this site via a preconfigured app that connects via the FQDN with a valid cert. I am not concerned about users accessing the site incorrectly, more worried about the site itself when a threat actor finds the site during random IP crawls. For those that like to look at post history, yes, this is related to my Fortinet SSL VPN Web Portal inquiries.