Technical Tip: How to use an alternate server certificate for OFTP communication between FortiGate and FortiAnalyzer

Description

 
This article describes how to configure FortiAnalyzer to use an alternate server certificate for OFTP communication with a FortiGate. By default, FortiAnalyzer uses the local certificate issued by Fortinet CA called 'Fortinet_Local'.

Scope

The CA certificate used to generate the server certificate needs to be imported to all managed FortiGates so that it can validate the certificate presented by the FortiAnalyzer.

Both the server certificate and the private key in PEM format need to be imported to the FortiAnalyzer. 

 
Solution

 
To change the server certificate used for OFTP:

1. Import the CA certificate to all managed FortiGates.

2. Import the server certificate and private key in PEM format to the FortiAnalyzer. 

FortiGate side configuration:

Import the CA certificate to all managed FortiGates: The figure below shows how to do this via the GUI interface.

config log fortianalyzer setting
    set server-cert-ca <CA Certificate> For ex: CA_Cert_1 <----- The same CA certificate that signed the FortiAnalyzer certificate.
end

FortiAnalyzer side configuration:

1. Import the CA certificate into the FortiAnalyzer.

2. CSR request and upload the Custom Certificate.

The figure below is a sample of CSR:

 
Signing the Certificate with an external CA:

The CSR needs to be signed with either the public CA or the private CA to generate the certificate. In this demo, FortiAuthenticator is used as the CA server:

When deploying FortiAnalyzer in HA mode, the OFTP (Optimized Fabric Transfer Protocol) service may require stricter certificate validation. In this scenario, the custom certificate must include both 'Server Authentication' and 'Client Authentication' Extended Key Usages (EKU) along with the 'Digital Signature' Key Usage to ensure proper communication between cluster members and managed devices.

Why both EKUs are required:

FortiAnalyzer HA members communicate with each other using mutual TLS (mTLS).

Each node can act as:

• A server (receiving logs / connections).

• A client (initiating synchronization or HA communication).

Therefore, the certificate must be valid for dual roles.

If only 'serverAuth' is present (as in standalone setups), HA synchronization or OFTP communication may fail due to certificate validation errors.

After signing the CSR, export and download the certificate generated:

In FortiAnalyzer, import the signed certificate:

The certificate status will change from Pending to OK once the certificate is uploaded correctly:

CLI Method to upload a new Custom Certificate:

config system certificate oftp
    set mode custom
    set certificate " --"   <----- PEM format certificate.
    set set private-key " -- "  <----- PEM format private key.
    password  <>                        <----- Password for encrypted 'private-key', unset for non-encrypted.
end

Note:

Password is not required if the key is not encrypted:

• Once the configuration is done, FortiAnalyzer will restart the OFTP communication with FortiGates.

• The hostname of the certificate should be the serial # of the FortiAnalyzer.

Once the certificate has been imported, configure the use of the local certificate in the CLI and restart the OFTP daemon:

config system certificate oftp
    set mode local
    set local "FAZ_SSL"
end

After changing this configuration, restart the 'oftpd' process for the changes to take effect:

diagnose test application oftpd 99

Or reboot the FortiAnalyzer.

Validate the connection status in the FortiGate:

To perform verification in the FortiGate CLI, run the following command:

execute log fortianalyzer test-connectivity

Alternative FortiAnalyzer configuration:

This alternative method explains how to use any previously imported Local Certificate for OFTP. Use the following CLI commands to change the certificate used on the OFTP port TCP/514:

config system certificate oftp
    set mode local
    set local "<LOCAL_CETRIFICATE_NAME>"
end

Note:
This option is often used to replace the embedded SHA1 certificate of the older FortiAnalyzer hardware platforms (for example, E-series), where the BIOS certificate is SHA1, but there is also a firmware updated SHA256 default local certificate, named 'Fortinet_Local'.

This certificate also contains the unit serial number in the CN field, which allows the FortiAnalyzer certificate verification to remain enabled on the FortiGate.

After changing this configuration, restart the 'oftpd' process for the changes to take effect:

diagnose test application oftpd 99

Or reboot the FortiAnalyzer.

Related documents:

• Local certificates

• Technical Tip: How to upload and set local certificate to be used in FortiManager/FortiAnalyzer

• Technical Tip: Setup custom certificate for FGFM protocol

• Technical Tip: How to manage Local certificates from FortiManager and use in SSL/SSH inspection prof...

• Technical Tip: How to generate a web server certificate CSR for the FortiManager/FortiAnalyzer using...

• Technical Tip: Different application of local certificate for FortiManager/FortiAnalyzer

• Technical Tip: How to configure FortiManager to use custom certificate for HA communication