Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
RuiChang
Staff
Staff

Created on ‎01-11-2023 12:18 AM Edited on ‎01-11-2023 10:09 PM By Community Manager

Technical Tip: Different application of local certificate for FortiManager/FortiAnalyzer

Description

 

This article shows the guide to apply local certificate in multiple scenarios for FortiManager and FortiAnalyzer.

 

Scope

 

FortiManager/FortiAnalyzer.

 

Solution

 

Users can import custom certificate as local certificate in FortiManager and FortiAnalyzer.

The local certificate can be applied in multiple scenarios and require configuration to apply the changes. In order to apply local certificate for scenario below, CA certificate have to be imported into FortiManager/FortiAnalyzer. Examples are provided below for each application:

 

1) Admin GUI:

Login to FortiManager/FortiAnalyzer -> System Setting -> Admin -> Admin Setting and change the certificate to local certificate.

 

RuiChang_0-1673419984366.png

 

Or  configure from CLI:

 

# config system admin

    Set admin-server-cert <Local Certificate>

  End

 

2) FortiManager fgfm-tunnel:

Configure the following in FortiManager CLI:

 

# config system global

    set fgfm-ca-cert <CA Certificate>

    set fgfm-local-cert <Local Certificate>

  end

 

Configure the following in FortiGate CLI:

 

# config system central-management

    set ca-cert <CA Certificate>

    set local-cert <Local Certificate>

  end

 

3) FortiAnalyzer oftp tunnel ( Logging).

Configure the following in FortiAnalyzer CLI:

 

# config system certificate oftp

    set mode local

    set local <Local Certificate>

  end

 

Configure the following in FortiGate CLI:

 

# config log fortianalyzer setting

    Set certificate <Local Certificate>

  end

 

4) FortiManager/FortiAnalyzer HA

Please note that CN of the certificate must be SN of the FortiManager/FortiAnalyzer itself. 

 

FortiManager/FortiAnalyzer Primary:

# config system ha

    Set local-cert <Local Certificate>

  end

FortiManager/FortiAnalyzer Secondary:

# config system ha

    Set local-cert <Local Certificate>

  end

 

5) FortiManager/FortiAnalyzer Syslog server

 

RuiChang_0-1673501930788.png

 

Or  configure from CLI:

 

# config system syslog

    Set reliable enable

    Set secure connection enable

    Set local-cert <Local Certificate>

  end

 

6) FortiManager/FortiAnalyzer Mail Server.

Note that local certificate is only applicable for SMTPS and STARTTLS with port 587 only.

Hence, additional configurations are required as shown below:

 

# config system mail

    Set port 587

    Set secure-option <smtps | starttls>

    Set auth-type certificate

    Set local-cert <Local Certificate>

end

 

Related articles:

https://community.fortinet.com/t5/FortiManager/Technical-Tip-How-to-upload-and-set-local-certificate...

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Using-an-externally-signed-local-certi...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-import-an-SSL-certificate-as-a-loca...

https://community.fortinet.com/t5/FortiManager/Technical-Tip-How-to-configure-FortiManager-to-use-cu...

174
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.