Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
edgar1
Staff
Staff

Created on ‎03-02-2023 10:02 PM Edited on ‎07-27-2023 01:54 AM By Moderator

Article Id 245814

Technical Tip: Unable to perform deep inspection after upgrade from LENC to High Encrypt

 

Description

This article describes that after an upgrade from LENC to High Encrypt, the deep inspection does not work.


edgar1_0-1677597999019.png  

 

It is possible to review using curl or OpenSSL that interchange certificate has 512 bits.

 

subject=CN = www.globo.com
issuer=C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FGT6HD5818-----2, emailAddress = support@fortinet.com
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2438 bytes and written 326 bytes
Verification error: EE certificate key too weak
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 512 bit <----- Issue.
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 66 (EE certificate key too weak)

 

Having the default CA with a lower key will limit the on-the-fly certificate generation for deep inspection, even if using the own CA.
Scope Upgrading from LENC mode some certificates may not get regenerated.
Solution

Execute command:

 

execute vpn certificate local generate default-ssl-ca
execute vpn certificate local generate default-ssl-ca-untrusted
​execute vpn certificate local generate default-gui-mgmt-cert
​execute vpn certificate local generate default-ssl-key-certs
execute vpn certificate local generate default-ssl-serv-key

 

This regenerates the certificate templates for deep-inspection. It can be possible to have to reboot in other for new certificates and keys to take place.

 

If having a cluster, it could be possible to follow the below steps to renew all default CAs and certificates in other:

 

  1. Backup your config.
  2. Enable override on the primary FortiGate:

    config system ha
        set override enable
    end
  3. Generate new keys on FortiGate, for each says 'y'.

    execute vpn certificate local generate default-ssl-ca
    execute vpn certificate local generate default-ssl-ca-untrusted
    ​execute vpn certificate local generate default-gui-mgmt-cert
    ​execute vpn certificate local generate default-ssl-key-certs
    execute vpn certificate local generate default-ssl-serv-key

  4. Wait 2 min for it to sync and then reboot both members.

Example: https://i.imgur.com/gejvNNl.png


CLI:

execute ha manage ?
execute ha manage <cluster_id> <admin user>
execute reboot

 

Type 'y'.

 

execute reboot

 

Type 'y'.

 

  1. After verifying, it will now be possible to use deep inspection correctly, disable override on the primary FortiGate:

config system ha
    unset override
end

 

549
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.