Description | This article describes the steps involved in establishing a secure connection between FortiGate and FortiGuard servers. |
Scope | FortiGate, FortiGuard. |
Solution |
To establish a connection with a FortiGuard server, it is necessary to verify the authenticity of the real FortiGuard server. FortiGuard servers use an Online Certificate Status Protocol (OCSP) stapling check during the TLS handshake. A time-stamped OCSP status of the server certificate from the OCSP server is appended to the TLS response which can be seen by running packet capture and debugs of update daemon.
Further information about OSCP can be found on this glossary page.
SSL/TLS Client Hello OCSP status request: FortiGate sends a 'ClientHello' message that lists its capabilities along with a request for OCSP status.
[116] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
Server Hello with a certificate and OCSP status: FortiGuard responds with a server certificate and parameters negotiated based on its capabilities.
__upd_peer_vfy[334]-Server certificate OK.
Client Certificate, Key information: Based on the key exchange method selected in the previous two steps, the client will generate a random string of bytes called 'pre-master secret', encrypt it with the server's public key, and send it to server.
Certificate verify, Finished (Client):
Finished (Server):
Encrypted Communication:
Related articles: Troubleshooting Tip: Unable to connect to FortiGuard servers |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.