New Member

Question

Public certificate for fortigate login page OR authentication page?

Forum|Forum|10 years ago
September 21, 2015
5 replies
10225 views

As you are aware ,when we implement authentication on policy , when the user goes to a public website , he gets a page prompting for username/password.

if the user request an https site then the authentication response is also in https. since the page is encrypted using a self signed certificate it throws a warning.

The case is similar with the firewall management page on https.

In order to get rid of this warning , one of the hassle free idea is to purchase and apply a public godadday, comodo etc certificate.

I am struggling to get the same done .

as i read here it is not possible to generate certificate for internal domain names and private ip addresses.

https://www.digicert.com/internal-names.htm

does anyone has any idea on how to do it .

Bromont_FTNT

Staff

You'll need to generate your own certificate. Then just make sure the public CA root (example.. from certificate services on your DC) is installed on all internal PCs

gschmitt

New Member

newNetwork wrote:
As you are aware ,when we implement authentication on policy , when the user goes to a public website , he gets a page prompting for username/password.

On which policy are you using the Authentication? Are you letting your users (internal) authenticate when trying to access the web (wan)?

newNetwork wrote:
if the user request an https site then the authentication response is also in https. since the page is encrypted using a self signed certificate it throws a warning.
The case is similar with the firewall management page on https.

After Importing (System > Certificates) you can set the certificate at User&Devices>Authentication>Settings

newNetwork wrote:
In order to get rid of this warning , one of the hassle free idea is to purchase and apply a public godadday, comodo etc certificate.
I am struggling to get the same done .
as i read here it is not possible to generate certificate for internal domain names and private ip addresses.

Correct, you can no longer get certificates for internal names.

newNetworkAuthor

New Member

I am able to apply a public cert for authentication and admin access of the fortigate firewall. but

whenever the user tries https://google.com the request is redirected to the auth page and a warning is displayed complaining that the Cname of the certificate is not matching etc etc

Any one has any idea?

my idea is to completly avoid the warning...

newNetworkAuthor

New Member

Similar issue , still looking for a workaround

https://forum.fortinet.com/tm.aspx?m=114844

gschmitt

New Member

Okay, first of all you need a certificate your users trust.

If you have non AD clients in the network you need a public cert otherwise you can use your own PKI and distribute the cert to your users using GPO

You can change the url of the authentication based on the policy like this:

config firewall policy
    edit <my_policy_ID>
        set auth-redirect-addr "my.fortigate.com"
    next
end

newNetworkAuthor

New Member

Thanks gschmitt for the reply ,

I have already applied these commands, as explained here http://kb.fortinet.com/kb/documentLink.do?externalID=FD35120

On Fortigate CLI Configure Fortigate unit to use the newly imported certificate HTTPS admin access. # config sys global # set admin-server-cert <certificate_name> # end #config firewall policy #edit <Authentication_Policy_ID> #set auth-cert <certificate_name> #set auth-redirect-addr "FGT.example.com" #end #config user setting #set auth-cert <certificate_name> #set auth-secure-http enable #end --

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded