FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
RuiChang
Staff
Staff
Article Id 242591
Description

 

This article shows the guide to apply local certificate in multiple scenarios for FortiManager and FortiAnalyzer.

 

Scope

 

FortiManager/FortiAnalyzer.

 

Solution

 

Users can import custom certificate as local certificate in FortiManager and FortiAnalyzer.

The local certificate can be applied in multiple scenarios and require configuration to apply the changes. In order to apply local certificate for scenario below, CA certificate have to be imported into FortiManager/FortiAnalyzer. Examples are provided below for each application:

 

  1. Admin GUI: Login to FortiManager/FortiAnalyzer -> System Setting -> Admin -> Admin Setting and change the certificate to local certificate.

 

RuiChang_0-1673419984366.png

 

Or  configure from CLI:

 

config system admin

    Set admin-server-cert <Local Certificate>

  End

 

  1. FortiManager fgfm-tunnel: Configure the following in FortiManager CLI:

 

config system global

    set fgfm-ca-cert <CA Certificate>

    set fgfm-local-cert <Local Certificate>

  end

 

Configure the following in FortiGate CLI:

 

# config system central-management

    set ca-cert <CA Certificate>

    set local-cert <Local Certificate>

  end

 

  1. FortiAnalyzer oftp tunnel ( Logging). Configure the following in FortiAnalyzer CLI:

 

config system certificate oftp

    set mode local

    set local <Local Certificate>

  end

 

Configure the following in FortiGate CLI:

 

config log fortianalyzer setting

    Set certificate <Local Certificate>

  end

 

  1. FortiManager HA. Note that the CN of the certificate must be the Serial Numberof the FortiManager itself. 

 

FortiManager Primary:

 

config system ha

    Set local-cert <Local Certificate>

  end

 

FortiManager Secondary:

 

config system ha

    Set local-cert <Local Certificate>

  end

 

  1. FortiManager/FortiAnalyzer Syslog server.

 

RuiChang_0-1673501930788.png

 

Or  configure from CLI:

 

config system syslog

    Set reliable enable

    Set secure connection enable

    Set local-cert <Local Certificate>

  end

 

  1. FortiManager/FortiAnalyzer Mail Server. Note that the local certificate is only applicable for SMTPS and STARTTLS with port 587 only. Hence, additional configurations are required as shown below:

 

config system mail

    Set port 587

    Set secure-option <smtps | starttls>

    Set auth-type certificate

    Set local-cert <Local Certificate>

end

 

Related articles:

Technical Tip: How to upload and set local certificate to be used in FortiManager/FortiAnalyzer

Technical Tip: Using an externally signed local certificate for OFTP connection

Technical Tip: How to import an SSL certificate as a local certificate

Technical Tip: How to configure FortiManager to use custom certificate for HA communication