FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
vraev
Staff
Staff
Article Id 242726
Description

 

This article describes how to setup a custom certificate to use for OFTP connection between FortiAnalyzer and the managed FortiGates.

 

Scope

 

FortiAnalyzer from version 6.2.3.

FortiGate from version 6.2.3.

 

Solution

 

The example below assumes that:

  • The same CA has issued the server certificates of FortiAnalyzer and all managed FortiGates.
  • The FortiAnalyzer and each FortiGate server certificate, with their corresponding private keys, were directly created on the CA side.


Alternatively, these server certificates can be created by generating CSRs on each unit and sending them to the CA for signing.

 

Importing the certificates:

  • Upload the CA certificate under the FortiAnalyzer and the FortiGate CA certificate section.


How to import a CA certificate in FortiAnalyzer is explained here:

Technical Note: Import CA certificates in FortiManager or FortiAnalyzer


How to import a CA certificate in FortiGate is explained here:

Docs: FortiOS – CA Certificate

  • Import the signed server certificates (and keys) as local certificates.

How to import them depends on the used enrollment method and the specific versions of FortiAnalyzer and FortiGates:

 

FortiAnalyzer documentation:

Local certificates.


FortiGate documentation:

Procuring and importing a signed SSL certificate.

 

Configuration:

Note.

When the settings below are changed and the end command is used, the OFTP tunnels between the FortiAnalyzer and all FortiGates will go down.
Direct access to the managed FortiGate would be required in order to change their FortiAnalyzer setting accordingly.

The OFTP certificate settings are only available in the CLI.

FortiAnalyzer configuration:

 

config system certificate oftp
    set mode local
    set local “cert_faz”
end

 

diagnose test application oftpd 99   <- Restart the OFTP service to accept the new configuration changes.

FortiGate configuration:

config log fortianalyzer setting
    set certificate-verification disable 
    set certificate "<Local-Server_Certificate_Name>" <- Defines which local certificate to be used on port TCP/514.

    set reliable enable  <- Change from UDP to TCP secure connection.
end

Example:

FortiAnalyzer side:

config system certificate oftp
    set mode local
    set local “cert_faz”
end

 

To restart the service under FortiManager:

 

diagnose test application oftpd 99   


FortiGate:

config log fortianalyzer setting
    set certificate-verification disable 
    set certificate “cert_fgt”
end

 

To restart the service under FortiGate:

 

fnsysctl killall miglogd

 

Troubleshooting:

The following CLI debug can be used to troubleshoot OFTP tunnel issues.

The output also shows certificate information during the TLS negotiation phase.

FortiAnalyzer:


diag debug app oftpd 8 <x.x.x.x> <- A device name can be used instead. IP is preferable.
diag debug timestamp enable
diag debug enable

 

diagnose test application oftpd <integer>

 

40: test loading a CA cert from local path
95: debug output
99: restart daemon

 

FortiGate:


diag debug app miglog -1
diag debug console timestamp enable
diag debug enable

 

An external PC, with 'openssl' installed, can be used to verify that the correct certificate chain is used by the units:

 

openssl s_client -showcerts -connect <address>:<port>
nmap --script ssl-enum-ciphers <address> -p <port>

 

Vito_0-1673516657540.png

 

Related documents: