Description
This article describes how to observe and troubleshoot verifying the server certificate on SSL Inspection.
Solution
Verify the part of the SSL Inspection transaction by the diagnose command. After enabling this debug command, verify a server certificate on FortiGate by accessing an SSL server:
diagnose debug application fnbamd -1
diagnose debug enable
Start auth_cert:
groups(0):
ip:
cert subject: C = CA, ST = British Columbia, L = Burnaby, O = Fortinet Technologies Canada Inc., OU = Customer Support, CN = support.fortinet.com
cert issuer: C = US, O = "Entrust, Inc.", OU = AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE, OU = CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY, OU = www.entrust.net/CPS is incorporated by reference, OU = "(c) 2008 Entrust, Inc.", CN = Entrust Cert
auth_cert succeed: group='', user=''
The 'auth_cert succeed' result is given at the end of this output. This example shows that this certificate is valid.
diagnose debug application fnbamd -1
diagnose debug enable
Start auth_cert:
groups(0):
ip:
cert subject: OU = Test dept, CN = test.example.com
cert issuer: OU = Test dept, CN = test.example.com
client cert expired
quick_check_cert failed
In this case, the certificate has already expired. The FortiGate determines that this is an invalid certificate and will fail the SSL session.
How to execute debug commands for SSL Inspection:
IPS debugs will be visible in flow mode, and WAD debugs in proxy mode as follows:
IPS related debug commands:
diagnose ips session list by-mem 15
diagnose ips session status
diagnose autoupdate version | grep "IPS Attack" -A 6
diagnose ips memory status
Additional Debugs:
diagnose ips debug en ?
diagnose ips de en <categories>
diagnose ips filter status
diagnose de en
Disable once done:
diagnose debug reset
diagnose debug disable
WAD related debug commands:
WAD debug logs can generate too much output and debug lines that might impact device performance. It is highly recommended to use as many filters as possible that can narrow the generated logs by the WAD daemon.
The most commonly used options are as follows:
diagnose debug console timestamp enable
diagnose wad debug enable level verbose
diagnose wad debug enable category http
diagnose wad filter src x.x.x.x <----- Source IP of the client.
diagnose wad filter dst y.y.y.y <----- Destination IP of the server.
diagnose debug enable
The debug output alternatives can be filtered further with this option:
diagnose wad filter ?
FNBAMD-related debug commands can be run simultaneously:
diagnose debug application fnbamd -1
diagnose debug enable
How to verify the Certificate by CA Certificate on the openssl command. Verify the certificate's validity by the CA certificate.
Example 1: Verifying FortiManager WebUI Certificate by Fortinet_CA:
$ openssl verify -CAfile Fortinet_CA.cer fmg.fortinet.com.pem
fmg.fortinet.com.pem: OK
This case shows the FortiManager WebUI Certificate is certified by Fortinet_CA.
Example 2: Verifying FortiGate WebUI Certificate by Fortinet_CA:
$ openssl verify -CAfile Fortinet_CA.cer FG200B3909600933.crt
FG200B3909600933.crt: /CN=FG200B3909600933/O=Fortinet Ltd.
error 18 at 0 depth lookup:self signed certificate
OK
This case shows FortiGate WebUI Certificate was a self-signed certificate (error 18). It does not need to be verified by any other CA Certificates, so it outputs an OK result.The error codes can be seen by man verify or by referring to verify on the freeBSD site.
Use 'get vpn certificate local' to also verify certificate details and expiry directly from the FortiGate CLI.
Related articles:
Technical Tip: SSL Inspection fails when FortiGate verifies the server certificate by its CA certifi...
Technical Tip: How to enable Deep Content Inspection
Technical Tip: Importing the FortiGate SSL Proxy certificate in Internet Explorer 8 (IE8) for decryp...
Technical Tip: FortiGate SSL Inspection - Verifying server certificate validity (includes Japanese v...
