FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff
Article Id 357173
Description This article describes the steps involved in establishing a secure connection between FortiGate and FortiGuard servers.
Scope FortiGate, FortiGuard.
Solution

To establish a connection with a FortiGuard server, it is necessary to verify the authenticity of the real FortiGuard server. FortiGuard servers use an Online Certificate Status Protocol (OCSP) stapling check during the TLS handshake. A time-stamped OCSP status of the server certificate from the OCSP server is appended to the TLS response which can be seen by running packet capture and debugs of update daemon.

 

Further information about OSCP can be found on this glossary page.

 

FGT_FGD.png

 

SSL/TLS Client Hello OCSP status request:

FortiGate sends a 'ClientHello' message that lists its capabilities along with a request for OCSP status.

 

[116] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[497] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[517] ssl_ctx_use_builtin_store: Enable CRL checking.
[524] ssl_ctx_use_builtin_store: Enable OCSP Stapling.

 

Server Hello with a certificate and OCSP status:

FortiGuard responds with a server certificate and parameters negotiated based on its capabilities.

 

__upd_peer_vfy[334]-Server certificate OK.
__upd_peer_vfy[334]-Server certificate OK.
__upd_peer_vfy[334]-Server certificate OK.
__upd_peer_vfy[334]-Server certificate OK.
[399] __bio_mem_dump: OCSP status good

 

Client Certificate, Key information:

Based on the key exchange method selected in the previous two steps, the client will generate a random string of bytes called 'pre-master secret', encrypt it with the server's public key, and send it to server.
The session key is generated and this message tells the server to change to encrypted mode.

 

Certificate verify, Finished (Client):
The 'Certificate verify' message allows the server to authenticate the client.
The 'Finished' message from the client indicates that the SSL handshake has been completed on the client side.

 

Finished (Server):
The 'Finished' message from the server indicates that the SSL handshake has been completed on the server side.

 

Encrypted Communication:
The encrypted communication between the client (FortiGate) and the server (FortiGuard) has started using the encryption algorithm/hash functions negotiated during the client/server hello and the secret key has been exchanged.

 

Related articles:

Troubleshooting Tip: Unable to connect to FortiGuard servers

Technical Tip: FortiGuard Overview and Troubleshooting