FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
kcheng
Staff
Staff
Article Id 228692
Description This article describes how to configure a FortiAnalyzer to use an externally signed local (custom) certificate for OFTP connection between FortiGate and FortiAnalyzer, for log transmission purposes.
Scope FortiAnalyzer, FortiGate.
Solution
  1. Generate a Certificate Signing Request from FortiAnalyzer.
    Navigate to System Settings -> Certificates -> Local Certificates and select Create New:

 

kcheng_0-1667352791024.png

 

  1. Enter the relevant information in the CSR request. It is mandatory to enter the FortiAnalyzer Serial Number into the Domain Name parameter if certificate validation is enabled on FortiGate:

     

    kcheng_1-1667352825643.png

     

     

  2. Download the CSR generated:

     

    kcheng_2-1667352871474.png

     

     

  3. To generate the certificate, sign the CSR with either the public CA or the private CA. In this demo, FortiAuthenticator is used as the CA server:
                                        
    kcheng_3-1667352902314.png

     

     

  4. After signing the CSR, export and download the certificate generated:

     

    kcheng_4-1667352924744.png

     

     

  5. In FortiAnalyzer, import the signed certificate:

     

    kcheng_5-1667352951076.pngkcheng_6-1667352964450.png                                

     

  6. The certificate status will change from Pending to OK once the certificate is uploaded correctly:

     

    kcheng_7-1667352985242.png

     

     

  7. Once the certificate has been imported, configure the use of the local certificate in the CLI and restart the OFTP daemon:

     

    config system certificate oftp

        set mode local

        set local "FAZ_SSL"

    end

     

    diag test app oftpd 99

     

     

  8. In FortiGate, import the CA certificate if a private CA was used.

    In this case, the FortiAuthenticator CA certificate used to sign the CSR is imported:

     

    kcheng_8-1667353043111.pngkcheng_9-1667353066421.png

     

     

  9. Validate the connection status in the FortiGate:

     

    kcheng_10-1667353089231.png

     

     

  10. To perform verification in the FortiGate CLI, run the following command:

     

exec log fortianalyzer test-connectivity

 

kcheng_11-1667353134548.png

 

Related article:

Technical Tip : Adding SAN(Subject Alternative Name) while generating CSR(Certificate Signing Reques...