FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
mantaransingh_FTNT
Article Id 189604

Description

 

This article explains how to configure FortiAnalyzer to use an alternate server certificate for OFTP communication with a FortiGate.   
 
 
By default FortiAnalyzer uses the local certificate issued by Fortinet CA called "Fortinet_Local".


Scope

 

The CA certificate used to generate the server certificate needs to be imported to all managed FortiGates so that it can validate the certificate presented by the FortiAnalyzer.
Both server certificate and private key in PEM format need to be imported to the FortiAnalyzer. 
 


Solution

 

To change the server certificate used for OFTP:
1) import the CA certificate to all managed FortiGates.
2) import the server certificate and private key in PEM format to the FortiAnalyzer. 
 
1) FortiGate side configuration:
 
- Import CA certificate to all managed FortiGates
 
Figure below shows how to do this via GUI interface.
 
 
2) FortiAnalyzer side configuration:
 
- Configure certificate for OFTP:
 
config system certificate oftp
    set custom enable
    set certificate " --"               ---->> PEM format certificate.
    set set private-key " -- "          ---->> PEM format private key.
    password  <>                        ---->> Password for encrypted 'private-key', unset for non-encrypted.
end
Note: Password is not required if key is not encrypted.

- Once the configuration is done, FortiAnalyzer will restart the OFTP communication with FortiGates.
- Hostname of the certificate should be the serial # of the FortiAnalyzer
 
- Figure below is a sample of CSR:
 
 
 
 

Alternative FortiAnalyzer configuration:

This alternative method explains how to use any previously imported Local Certificate for OFTP.

Use the following CLI commands in order to change the certificate used on OFTP port TCP/514:


# config system certificate oftp
  set mode local
  set local "<LOCAL_CETRIFICATE_NAME>"
end

 

Note:
This option is often used to replace the embedded SHA1 certificate of the older FortiAnalyzer hardware platforms (for example E-series), where the BIOS certificate is SHA1, but there is also a firmware updated SHA256 default local certificate, named 'Fortinet_Local'.
This certificate also contains the unit serial number in the CN field, which allows the FortiAnalyzer certificate verification to remain enabled on the FortiGates.

After changing this configuration, restart the 'oftpd' process in order for the changes to take effect:


# diag test application oftpd 99


(Or reboot the FortiAnalyzer).