Troubleshooting Tip: Verifying server certificate on SSL Inspection
Description
This article describes how to observe and troubleshoot verifying the server certificate on SSL Inspection.
Solution
Verify the part of the SSL Inspection transaction by the diagnose command. After enabling this debug command, verify a server certificate on FortiGate by accessing an SSL server:
diagnose debug enable
Start auth_cert:
groups(0):
ip:
cert subject: C = CA, ST = British Columbia, L = Burnaby, O = Fortinet Technologies Canada Inc., OU = Customer Support, CN = support.fortinet.com
cert issuer: C = US, O = "Entrust, Inc.", OU = AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE, OU = CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY, OU = www.entrust.net/CPS is incorporated by reference, OU = "(c) 2008 Entrust, Inc.", CN = Entrust Cert
auth_cert succeed: group='', user=''
The 'auth_cert succeed' result is given at the end of this output. This example shows that this certificate is valid.
diagnose debug application fnbamd -1
diagnose debug enable
Start auth_cert:
groups(0):
ip:
cert subject: OU = Test dept, CN = test.example.com
cert issuer: OU = Test dept, CN = test.example.com
client cert expired
quick_check_cert failed
In this case, the certificate has already expired. The FortiGate determines that this is an invalid certificate and will fail the SSL session.
IPS debugs will be visible in flow mode, and WAD debugs in proxy mode as follows:
IPS related debug commands:
diagnose ips session list by-mem 15
diagnose ips session status
diagnose autoupdate version | grep "IPS Attack" -A 6
diagnose ips memory status
Additional Debugs:
diagnose ips debug en ?
diagnose ips de en <categories>
diagnose ips filter status
diagnose de en
Disable once done:
diagnose debug reset
diagnose debug disable
WAD related debug commands:
WAD debug logs can generate too much output and debug lines that might impact device performance. It is highly recommended to use as many filters as possible that can narrow the generated logs by the WAD daemon.
The most commonly used options are as follows:
diagnose debug console timestamp enable
diagnose wad debug enable level verbose
diagnose wad debug enable category http
diagnose wad filter src x.x.x.x <----- Source IP of the client.
diagnose wad filter dst y.y.y.y <----- Destination IP of the server.
diagnose debug enable
The debug output alternatives can be filtered further with this option:
diagnose wad filter ?
FNBAMD-related debug commands can be run simultaneously:
diagnose debug application fnbamd -1
diagnose debug enable
Example 1: Verifying FortiManager WebUI Certificate by Fortinet_CA:
$ openssl verify -CAfile Fortinet_CA.cer fmg.fortinet.com.pem
fmg.fortinet.com.pem: OK
Example 2: Verifying FortiGate WebUI Certificate by Fortinet_CA:
FG200B3909600933.crt: /CN=FG200B3909600933/O=Fortinet Ltd.
error 18 at 0 depth lookup:self signed certificate
OK
The error codes can be seen by man verify or by referring to verify on the freeBSD site.
Related articles: