Description

This article describes how to generate an automatic event log as a reminder on a FortiWeb when an SSL Certificate is about to expire.

Scope

FortiWeb SSL Certificates v7.x.x.

Solution

Before FortiWeb v6.2, FortiWeb would not generate an event when the SSL Certificate was about to expire.

But starting from the 6.2.0 version, the admin can configure a setting from the CLI, which will generate an event log and remind the administrator about the Certificates going to expire.

The number of days before the event log is generated can be selected between 0-365.

The CLI command to do the same is:

FortiWeb # conf system global
FortiWeb (global) # set cert-expire-check-time <cert-expire-check-time _int>
FortiWeb (global) # end

set cert-expire-check-time <cert-expire-check-time _int>

This command sets the notification time ( the days) before the certificate expires. The valid value range is 0-365. When the value is 0, it means no certificate expiration will be checked. When the value is 100, it means the notification will be sent 100 days before the certificate expires.

The maximum number of days when an event can be generated is 365 days, which is 1 year.

Once the period set in command is reached, an event log like this will appear below.

v010xxxxdate=2020-08-27 time=11:03:07 log_id=19999489 msg_id=000000002169 device_id=FXXXXXXXXXXX4 vd="root" timezone="(GMT+4:00)Abu Dhabi,Muscat" timezone_dayst="GMTa-4" type=event subtype="system" pri=alert trigger_policy="N/A" user=daemon ui=daemon action=cert-expire status=failure msg="Certificate fortiweb.com will get expired in 1 day"

If FortiWeb logs are sent to FortiAnalyzer, then an email alert can also be triggered to the admin using Event Handler on FortiAnalyzer.

Related document: 
FortiAnalyzer event handler trigger