Technical Tip: FortiGate FIPS-CC enabled to send log to FortiAnalyzer

Description

This article describes the requirements for and how to configure the FortiGate with FIPS-CC enabled in order to send a log to FortiAnalyzer successfully. It also discusses the use case for FortiGate with none-FIPS-CC enabled requirements and configuration. 

Scope

FortiGate (FIPS-CC enabled), FortiAnalyzer.

Solution

The mandatory requirements to achieve successful logging from the FortiGate with FIPS-CC enabled to FortiAnalyzer are as follows:

• FortiAnalyzer must to set to use the custom server certificate for the OFTP. The server certificate can be a self-signed certificate using FortiAuthenticator, OpenSSL, or Windows Server CA.
• FortiGate must import the CA cert that signed the custom server certificate in the FortiAnalyzer. 
• FortiGate CLI config must set to: set server FQDN and must match the CN name of the custom server certificate in the FortiAnalyzer. 
• FortiGate must be able to resolve the set server FQDN by using DNS. 
• FortiGate CLI config must be set to: set certificate-verification disable.

At the same time, for none-FIPS-CC enabled FortiGate(s) that are sent to the same FortiAnalyzer, the requirements are as follows:

• FortiGate must import the CA cert that signed the custom server certificate in the FortiAnalyzer. 
• FortiGate CLI config must be set to: set certificate-verification disable.
  
  

Fortianalyzer custom Server certificate needs to be an X509 certificate that should meet the following requirements:

• Its Common Name and Subject Alternative Name shall be its FQDN.
• Its Extended Key Usage shall be serverAuth.
• The current time/day shall fall within its validity.
  
  

In FortiAnalyzer:

1. FortiAnalyzer to import the custom server certificate. In this example here, the FortiAnalyzer FQDN is CN = faz.fortinet.local.

2. Configure via CLI to use a custom certificate for OFTP connection. 

config system certificate oftp
    set mode local
    set local "server_cert"
end

3.  Restart OFTP process with CLI command: diagnose test application oftpd 99.

In FortiGate:

1. Refer to the KB article: How to enable FIPS-CC mode, to enable the FIOS-CC in the FortiGate, it requires console access.
2. Make sure the FortiAnalyzer FQDN is resolvable. 

exe ping faz.fortinet.local
PING faz.fortinet.local (10.47.88.99): 56 data bytes
64 bytes from 10.47.88.99: icmp_seq=0 ttl=62 time=220.4 ms
64 bytes from 10.47.88.99: icmp_seq=1 ttl=62 time=220.3 ms
64 bytes from 10.47.88.99: icmp_seq=2 ttl=62 time=220.2 ms
64 bytes from 10.47.88.99: icmp_seq=3 ttl=62 time=220.2 ms
64 bytes from 10.47.88.99: icmp_seq=4 ttl=62 time=220.1 ms

--- faz.fortinet.local ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 220.1/220.2/220.4 ms

3. Configure the FortiAnalyzer settings via CLI. The set server is set to the FAZ FQDN and set certificate-verification must be disabled as per requirement. In this example here, the FortiAnalyzer FQDN is faz.fortinet.local.

config log fortianalyzer setting
    set status enable
    set server "faz.fortinet.local"
    set certificate-verification disable
    set upload-option realtime

    set reliable enable
end

4.  FortiGate must import the CA certificate that signed the custom server certificate.

5.  Run CLI in FortiGate to check the connectivity, if the FortiGate is not added in FortiAnalyzer, an authentication failure is expected. 

execute log fortianalyzer test-connectivity
Failed to get FAZ's status. Authentication Failed. (-19)

6. If the FortiGate is yet to be added to the FortiAnalyzer, login back into FortiAnalyzer to authorize the FortiGate.

7. Wait for a minute or two for the OFTP connection to establish. Run the CLI again in FortiGate to check the connectivity. The counter for Tx and Rx values should be increased in the CLI output. 

execute log fortianalyzer test-connectivity
FortiAnalyzer Host Name: FAZ-74
FortiAnalyzer Adom Name: root
FortiGate Device ID: FGVM08TM99999999
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 576885730B/53687091200B
Analytics Usage (Used/Allocated): 535450594B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 3/60 Days
Archive Usage (Used/Allocated): 41435136B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 3/365 Days
Log: Tx & Rx (638 logs received since 09:45:46 09/28/23)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx

8. Login back into FortiAnalyzer GUI, the FortiGate is sending the logs in real-time.

9.  In the FortiAnalyzer GUI, navigate to Log Browse -> FortiGate, the analytic log should be received and displayed as expected. 

10. Since the FortiAnalzyer is using a custom server certificate for its OFTP connection and the 'set certificate-verification disable' is set in FortiGate, to counter for the FortiAnalyzer-FortiGate API access for functions like SD-WAN, Fabric query and so on back to FortiGate, under FortiAnalyzer Device Manager, the FortiGate needs to set with username/password manually for it to work properly. 

11. In the use case if there are other none-FIPS-CC enabled FortiGate(s) that are sending logs to the FortiAnalyzer. In FortiGate, it is not required to set the CLI: set server to FQDN, it is possible to maintain either the IP address or to use FQDN. In this example, the IP address can be either '10.47.88.99' or FortiAnalyzer FQDN is 'faz.fortinet.local'. The set certificate-verification must be disabled. 

config log fortianalyzer setting
    set status enable
    set server "10.47.88.99"
    set certificate-verification disable
    set upload-option realtime
    set reliable enable
end