FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FortiKoala
Staff
Staff
Article Id 191527

Description


This article has been raised due to the highlighted problem and complexity of managing SSL certificates referenced in these articles:

Fortinet VPN with Default Settings Leave 200,000 Businesses Open to Hackers.
https://thehackernews.com/2020/09/fortigate-vpn-security.html?utm_source=feedburner&utm_medium=feed&...

 
Breaching The Fort.
https://securingsam.com/breaching-the-fort/


FortiGate VPN Default Config Allows MitM Attacks.
https://threatpost.com/fortigate-vpn-default-config-mitm-attacks/159586/

When access to Fortinet SSLVPN with a self-signed certificate is made, the user will receive a certificate warning alert to inform the user that the certificate is untrusted or unknown and ask the user to confirm if they would like to accept this certificate.
The common message from FortiClient (Fortinet VPN Client):


At this step, if the user did not click the option to view the detail of the SSLVPN server certificate before clicking accept, then Attacker can intercept SSLVPN traffic and represent its own certificate instead, then the attacker will be able to decrypt content sent/received between VPN client and FortiGate.


The following instructions describe how to mitigate SSL Man in the Middle (MitM) attacks when connecting to SSL VPN and are aimed especially at small-medium businesses who regularly have a work-from-home routine and now require near-enterprise grade security, but unfortunately do not have the resources and expertise to maintain enterprise-level security systems.

The common message in a browser is:


Solution

 

 
The following steps need to be followed to install Trusted CA Signed SSL Certificatec for your FortiGate SSL VPN solution The following steps need to be followed to install Trusted CA Signed SSL Certificatec for your FortiGate SSL VPN solution
 
1) Register the FortiGate with FortiGuard

 https://community.fortinet.com/t5/Customer-Service/Customer-Service-Note-Registration-FAQ-Frequently...


2) With a DNS entry for the INTERNET Facing WAN connection go to Step 3) or create a valid Dynamic DNS for the public IP address.
 
To configure FortiGuard as the DDNS server from GUI:
 
- Go to Network -> DNS.
 
- Enable FortiGuard DDNS.
     
Aashiq_Z_0-1661192348597.png
 
- Select the Interface with the dynamic connection e.g. WAN1.
- Use the public IP address as otherwise DDNS will register the internally mapped IP.
 
 
- Select the Server with the account.
- Enter the Unique Location, i.e. the location of the FortiGate, try to use short internal prefixes
- Select 'Apply'.
 
 
3) Register your domain e.g. branch.float-zone.com certificate for a verified Certificate Authority (CA)

- Purchase an SSL certificate package from a Certificate Authority (CA). 
 
  •  SSL certificate packages can be purchased from any CA, such as Comodo, GoDaddy, or GlobalSign.
 
- To purchase a certificate package:
 
  •  Create an account with the chosen vendor, or use the account used to purchase the domain.
  • Locate the SSL Certificates page.
  • Purchase a basic SSL certificate for domain validation only.
  • After purchasing the certificate, the CA will direct to setup the certificate so that it can be verified.

- If the CA needs a Certificate Signing request (CSR),follow these steps, other wise go to Setup the SSL certificate.

 
Some CAs can auto-generate the CSR during the signing process, or provide tools for creating CSRs, such as GlobalSign’s SSL Certificate Signing Request Tool.
If necessary, a CSR can be quickly created from the FortiGate GUI.
 
- Log in to the FortiGate unit and browse to System -> Certificates.
- Select Generate in the toolbar.
- Enter the required information in the Generate Certificate Signing Request screen:
 
  •  Ensure that the certificate has a unique name. e.g. branch.float-zone.com-cert
  • Select Domain Name in the ID Type field. - branch.float-zone.com
  •  Ensure that the Key Size is set to 2048 Bit.
  • Set the Enrollment Method to File Based.
  • Select OK to create the CSR.
 
 
The CSR will be added to the certificate list with a status of PENDING.
 
- Select the new CSR in the Local Certificates page and select Download to save the CSR to your computer.
The CSR file can be opened in any text editor and should resemble the
following:
-----BEGIN CERTIFICATE REQUEST-----MIIDDjCCAfYCAQAwgZcxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEV
………
WP2WDWfUp8zx1jYQJpgOjBmW
-----END CERTIFICATE REQUEST------
 
Setup the SSL certificate.
 
Note: The following instruction use GoDaddy as an example.
 
- Immediately after purchasing the certificate, you will be taken to your account page.
- Find the newly purchased certificate and select Manage to open the Certificate page.
- Select Setup.
- If a CSR generated by the FortiGate is used:
a. Open the CSR file in a text editor
b. Copy the file contents
c. Paste it into the text box.
- Select a signature algorithm, read and then agree to the subscriber agreement, then select Request Certificate.
 

 
- The Certificate Verification screen opens, the certificate is verified and the user is redirected to the Certificate Management screen.
- Select Download to download the signed certificate, as a Zip file, to your computer. – The server type can be set to Other.
 
4) Import the signed certificate into the FortiGate.
 
- Unzip the file downloaded from the CA.
There should be two .CRT files: a CA certificate with bundle in the file name, and a local certificate.
 
    - Log in to the FortiGate unit and browse to System - > Certificates.
    - Select Import - > Local Certificate to import the local certificate.
 
The status of the certificate will change from PENDING to OK.
 
    - Import the CA certificate by selecting Import -> CA Certificate. It will be listed in the CA Certificates section of the certificates list.
 
Configure SSL VPN using the signed certificate.
 
5) Configure your FortiGate device to use the signed certificate
 
- Log in to your FortiGate unit and browse to VPN - > SSL - > Settings.
- In the Connection Settings section, locate the Server Certificate field.
- Select the new certificate from the Server Certificate  drop-down menu.
- Select Apply to configure SSL VPN to use the new certificate.
 
Test the SSL VPN connection in a browser e.g. https://branch.float-zone.com
 
The certificate error message should not appear.
 
Note:
Fortinet VPN appliances are designed to work out-of-the-box for customers so that organizations are enabled to set up their appliance customized to their own unique deployment.
Each VPN appliance and the set up process provides multiple clear warnings in the GUI with documentation offering guidance on certificate authentication and sample certificate authentication and configuration examples.
Fortinet strongly recommends adhering to its provided installation documentation and process, paying close attention to warnings throughout that process to avoid exposing the organization to risk.
Contributors