Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anoushiravan
Staff
Staff

Created on ‎01-31-2024 01:17 AM

Article Id 296860

Technical Tip: SSL VPN user is matching a wrong peer configured on FortiGate while each peer is connected to SSL VPN with a different CN in certificate

Description

This article describes the case when the CN of the peer's certificate is similar or shares a common value, then FortiGate might match the SSL VPN user with the first peer config that has a slimmer CN. As a result, SSL VPN may hit the wrong user group and traffic might hit the wrong firewall policy.

 

config user peer
    edit "pki01"
        set ca "CA_Cert_1"
        set subject "C=CZ, L=Prague, O=Fortinet, OU=IT Department, CN=testpki, emailAddress=gescom@tenerife.es"
    next
    edit "pki02"
        set ca "CA_Cert_1"
        set subject "C=CZ, L=Prague, O=Fortinet, OU=IT Department, CN=ext-testpki1, emailAddress=gescom@tenerife.es"
    next
end

 

Each peer has been enabled in a different group (and has been enabled on a different firewall policy as well):


config user group
    edit "pki.group.1"
        set member "pki01"
    next
    edit "pki.group.2"
        set member "pki02"
    next
end

 

When both SSL VPN users are connecting with two different certificates (which have different CN), on FortiGate both users matched the first peer 'pki01' since both peers have 'testpki' in common in CN:

 

FGT # get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0    pki01,cn=testpki            pki.group.1   32(1)     291    28723    10.125.5.132 0/0 0/0 0
1    pki01,cn=ext-testpki1    pki.group.1   32(1)      296    28760    10.125.3.40 0/0 0/0 0

SSL VPN sessions:

Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0     pki01,cn=testpki            pki.group.1    10.125.5.132    77   0/0   10.212.134.200
1     pki01,cn=ext-testpki1    pki.group.1     10.125.3.40     40   0/0   10.212.134.201
Scope FortiGate.
Solution

The subject-match must be changed from 'substring' to 'value', 'substring' is the default setting.

 

  • When subject-match is set to 'substring', FortiGate will find a match if the name being searched for is a part of the same as a certificate subject RDN.
  • When subject-match is set to 'value', FortiGate will find a match if the name being searched for is the same as a certificate subject RDN.

 

config vpn certificate setting
    set subject-match value  <--
end

 

Note: If VDOM is enabled, the changes should be done per VDOM:

 

config vdom
    edit <vdom name> <--
        config vpn certificate setting
            set subject-match value
        end
end

 

FGT # get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0   pki01,cn=testpki            pki.group.1   32(1)     242   22323    10.125.5.132 0/0 0/0 0
  pki02,cn=ext-testpki1    pki.group.2    32(1)    163   23560    10.125.3.40 0/0 0/0 0

SSL-VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0   pki01,cn=testpki              pki.group.1    10.125.5.132   24  0/0   10.212.134.200
1   pki02,cn=ext-testpki1      pki.group.2     10.125.3.40    52   0/0   10.212.134.201
907
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.