Description
This article describes how to setup a custom certificate to use for OFTP connection between FortiAnalyzer and the managed FortiGates.
Scope
FortiAnalyzer from version 6.2.3.
FortiGate from version 6.2.3.
Solution
The example below assumes that:
- The same CA has issued the server certificates of FortiAnalyzer and all managed FortiGates.
- The FortiAnalyzer and each FortiGate server certificate, with their corresponding private keys, were directly created on the CA side.
Alternatively, these server certificates can be created by generating CSRs on each unit and sending them to the CA for signing.
Importing the certificates:
- Upload the CA certificate under the FortiAnalyzer and the FortiGate CA certificate section.
How to import a CA certificate in FortiAnalyzer is explained here:
Technical Note: Import CA certificates in FortiAnalyzer or FortiAnalyzer
How to import a CA certificate in FortiGate is explained here:
Docs: FortiOS – CA Certificate
- Import the signed server certificates (and keys) as local certificates.
How to import them depends on the used enrollment method and the specific versions of FortiAnalyzer and FortiGates:
FortiAnalyzer documentation:
FortiGate documentation:
Procuring and importing a signed SSL certificate.
Configuration:
Note.
When the settings below are changed and the end command is used, the OFTP tunnels between the FortiAnalyzer and all FortiGates will go down.
Direct access to the managed FortiGate would be required in order to change their FortiAnalyzer setting accordingly.
The OFTP certificate settings are only available in the CLI.
FortiAnalyzer configuration:
config system certificate oftp
set mode local
set local “cert_faz”
end
diagnose test application oftpd 99 <----- Restart the OFTP service to accept the new configuration changes.
FortiGate configuration:
config log fortianalyzer setting
set certificate-verification disable
set certificate "<Local-Server_Certificate_Name>" <----- Defines which local certificate to be used on port TCP/514.
set reliable enable <----- change from UDP to TCP secure connection.
end
Example:
FortiAnalyzer side:
config system certificate oftp
set mode local
set local “cert_faz”
end
To restart the service under FortiManager:
diagnose test application oftpd 99
FortiGate:
config log fortianalyzer setting
set certificate-verification disable
set certificate “cert_fgt”
end
To restart the service under FortiGate:
fnsysctl killall miglogd
Troubleshooting:
The following CLI debug can be used to troubleshoot OFTP tunnel issues.
The output also shows certificate information during the TLS negotiation phase.
FortiAnalyzer:
diag debug app oftpd 8 <x.x.x.x> <---- Or device name can be used. IP is preferable.
diag debug timestamp enable
diag debug enable
FortiGate:
diag debug app miglog -1
diag debug console timestamp enable
diag debug enable
diagnose test application oftpd <integer>
- 40: test loading a CA cert from local path
- 95: debug output
- 99: restart daemon
External PC, with 'openssl' installed, can be used to verify that the correct certificate chain is used by the units:
openssl s_client -showcerts -connect <address>:<port>
nmap --script ssl-enum-ciphers <address> -p <port>
Related documents:
Technical Note: Import CA certificates in FortiAnalyzer or FortiAnalyzer
Technical Note: Configure SSL certificate for the FortiAnalyzer / FortiAnalyzer admin GUI v5.4
Technical Tip: TLS and the use of Digital Certificates
Troubleshooting Tip: How to troubleshoot connectivity issues between FortiGate and FortiAnalyzer
Technical Tip: Setup custom certificate for FGFM protocol
Technical Tip: Different application of local certificate for FortiManager/FortiAnalyzer
