Created on 01-12-2023 02:03 AM Edited on 12-02-2024 03:02 AM By Jean-Philippe_P
This article describes how to setup a custom certificate to use for OFTP connection between FortiAnalyzer and the managed FortiGates.
FortiAnalyzer from version 6.2.3.
FortiGate from version 6.2.3.
The example below assumes that:
Alternatively, these server certificates can be created by generating CSRs on each unit and sending them to the CA for signing.
Importing the certificates:
How to import a CA certificate in FortiAnalyzer is explained here:
Technical Note: Import CA certificates in FortiManager or FortiAnalyzer
How to import a CA certificate in FortiGate is explained here:
Docs: FortiOS – CA Certificate
How to import them depends on the used enrollment method and the specific versions of FortiAnalyzer and FortiGates:
FortiAnalyzer documentation:
FortiGate documentation:
Procuring and importing a signed SSL certificate.
Configuration:
Note.
When the settings below are changed and the end command is used, the OFTP tunnels between the FortiAnalyzer and all FortiGates will go down.
Direct access to the managed FortiGate would be required in order to change their FortiAnalyzer setting accordingly.
The OFTP certificate settings are only available in the CLI.
FortiAnalyzer configuration:
config system certificate oftp
set mode local
set local “cert_faz”
end
diagnose test application oftpd 99 <- Restart the OFTP service to accept the new configuration changes.
FortiGate configuration:
config log fortianalyzer setting
set certificate-verification disable
set certificate "<Local-Server_Certificate_Name>" <- Defines which local certificate to be used on port TCP/514.
set reliable enable <- Change from UDP to TCP secure connection.
end
Example:
FortiAnalyzer side:
config system certificate oftp
set mode local
set local “cert_faz”
end
To restart the service under FortiManager:
diagnose test application oftpd 99
FortiGate:
config log fortianalyzer setting
set certificate-verification disable
set certificate “cert_fgt”
end
To restart the service under FortiGate:
fnsysctl killall miglogd
Troubleshooting:
The following CLI debug can be used to troubleshoot OFTP tunnel issues.
The output also shows certificate information during the TLS negotiation phase.
FortiAnalyzer:
diag debug app oftpd 8 <x.x.x.x> <- A device name can be used instead. IP is preferable.
diag debug timestamp enable
diag debug enable
diagnose test application oftpd <integer>
40: test loading a CA cert from local path
95: debug output
99: restart daemon
FortiGate:
diag debug app miglog -1
diag debug console timestamp enable
diag debug enable
An external PC, with 'openssl' installed, can be used to verify that the correct certificate chain is used by the units:
openssl s_client -showcerts -connect <address>:<port>
nmap --script ssl-enum-ciphers <address> -p <port>
Related documents:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.