Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mdanta
New Contributor II

Configuring Syslog for Mutually-Authenticated TLS Transport Using Local CA

Hello,

This is my first post so just let me know if there's standard information you need. We have a couple of Fortigate 100 systems running 6.0.7. Currently they send unencrypted data to our (Logstash running on CentOS 8) syslog servers over TCP. That's OK for now because the Fortigate and the log servers are right next to each other, but we want to move the servers to a data center, so we need to encrypt the log traffic. We use a company CA to sign certificates for both the servers and the clients. The setup is confirmed to work with our servers, but I'm having trouble getting it set up on the Fortigate systems and wondered if someone could give me few hints?

 

What I've done so far is:

[ul]
  • Via the GUI, upload a the company CA certificate. It shows up as an External CA Certificate.
  • Via the GUI, upload a client certificate and key. That one shows up by name as an ordinary Certificate.
  • Via the CLI, configure a syslogd sender[/ul]

    We use the unnumbered syslogd client to send the unencrypted data, so are configuring syslogd2 for TLS as an experiment until we get it right:

     

    config log syslogd2 setting     set status enable     set server "192.168.100.49"     set mode reliable     set port 10516     set enc-algorithm high     set ssl-min-proto-version TLSv1-2     set certificate "TestClientCertificate" end

    What I'm seeing is exactly nothing, unfortunately... the most difficult situation to debug. Running tcpdump on the target server confirms that there is no data inbound to the server from the Fortigate on TCP/10516, but plenty is coming in on the port used for the unencrypted traffic. Also if I disable TLS sending, on the above, and just send unencrypted data to TCP/10516, the data is clearly (too clearly!) visible.

     

    So I guess my first question is where to look for any diagnostic messages that might give me some hints about what's going on, and second, what might be wrong with my configuration? Just let me know if there's something I can try/send that would help resolve this!

     

    Thanks!

  • 1 REPLY 1
    mdanta
    New Contributor II

    So I guess this is as much a mystery to everyone else as it is to me! Here's a bit of additional information. If I unset the certificate configuration line, so that the configuration looks like this:

     

    config log syslogd2 setting     set status enable     set server "192.168.100.49"     set mode reliable     set port 10516     set enc-algorithm high     set ssl-min-proto-version TLSv1-2 end

    then traffic IS sent to the server, however what happens is that the TLS handshake fails. There doesn't seem to be any indication of this on the Fortigate itself (are there logs for such things?), but on the server side I can see that the Fortigate is sending back an TLSV1_ALERT_UNKNOWN_CA message. However the correct CA certificate does seem to be installed:

     

    config vpn certificate ca     edit "CA_Cert_1"         set range global     next end

    One thing that concerns me is that in the CLI, the above is part of the VPN configuration, so maybe that part of the configuration is not visible to the logging subsystem? In the GUI there is no indication that this is specific to VPNs. It's just System > Certificates. But if the certificates are partitioned by usage, how do I import a CA certificate that will be usable for logging, or make the one I have usable?

     

    Also I guess a secondary question is why would setting a client certificate prevent sending any traffic at all? But first things first!

    Labels
    Top Kudoed Authors