Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Certificate for https traffic
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Certificate for https traffic
Not sure it is in the correct thread.
Running on 200D 5.4.8
This is mainly for AV.
In order to detect viruses, we needed to add the SSL/SSH inspection and by selecting "Certificate Inspection", the firewall now detects viruses but only for non encrypted traffic.
As most of the traffic is now via https, we need to select instead "Deep Inspection"
However, all the sites now come with certificate errors.
The engineer assigned to our case, told us that we need to install the Fortigate certificate on all our workstations, which is not really possible. too many devices (windows, IOS, MAc and Android) and too many browsers
He said the alternative was to purchase a CA certificate and install it, but was not able to advise further.
Have many of you used that technique? I am guessing that it becomes more and more common to implement viruses/malware scanning at the gateway level, and this would be the easiest method now that 90% traffic is encrypted?
What CA would you recommend?
We already have a 'standard' certificate installed on the Fortigate for SSLVPN to avoid the errors.
When requesting the CA certificate, do we also use the same DNS name?
And it will not interfere with the current cert installed for SSLVPN?
Thanks in advance
Solved! Go to Solution.
Labels:
- Labels:
-
5.4
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I find it strange that Fortinet does not have a built-in public certificate that should be used for this. Surely, if it says it can scan for viruses/etc on the fly, it should provide the facility out of the box!
It's not possible to buy such public intermediate CA certificate! This would totally break SSL encryption. You'd be able to fake every SSL Website/Service worldwide.
Public intermediate CA certificates will be limited to specific domains, to which you are allowed to deploy certificates for. This is not what you need for deep ssl inspection.
With a private CA, you can do anything you want. Like creating your own SSL certificates for www.ubs.com, www.paypal.com, etc.
This is exactly what the Fortigate is doing when deep ssl inspection is enabled. It's decrypting the SSL connection, and creating a new encrypted connection with its own CA certificate. It will generate a new connection, because it does not have the private key for the website or the CA it's intercepting (in my example Verisign & online.citi.com). So a 'deep inspected' SSL connection to online.citi.com is divided in two seperate connections.
online.citi.com <--1--> fortigate <--2--> internal computer
1: public trusted certificate. Signed by VeriSign Class 3 Public Primary CA
2: privately trusted ceritificate. Signed by YourFortigate
There is no easy way around here. If you want to open and inspect SSL connections, you have to create your own CA Certificate and deploy it or use the one which is already on the Fortigate and deploy that one.
If there is not enough knowledge to setup an own PKI, I suggest you deploy the CA certificate already on the Fortigate.
Btw. this is not a Fortigate/Fortinet limitation, this is just how SSL interception works.
Also note.. you thoroughly need to this before enabling it globaly. Because it will most likely not work with some services/application you are using right now.
- « Previous
-
- 1
- 2
- Next »
17 REPLIES 17
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:This is incorrect as far as I’m aware. Even in explicit proxy deployments, ssl interception with a signing certificate is still required. With explicit proxy, the FGT does have the domain being requested provided by the connect from the client. But the ssl handshake is proxied (not terminated) on the FortiGate, and therefore it is unable to inspect the http payload inside the ssl connection unless ssl deep inspection (aka ssl interception or MITM) is used.
You do have one more option that could be explored, and which requires NO cert and only will work for HTTP/HTTPS/FTP but has other gotchas If your goal is to inspect HTTPS/HTTP , defined the fortigate as explicit proxy and then you can do all that you want with out deploying certs across devices. You will still need to publish the proxy to the clients which is the gotcha ( WPAD or PAC )
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I find it strange that Fortinet does not have a built-in public certificate that should be used for this. Surely, if it says it can scan for viruses/etc on the fly, it should provide the facility out of the box!
It's not possible to buy such public intermediate CA certificate! This would totally break SSL encryption. You'd be able to fake every SSL Website/Service worldwide.
Public intermediate CA certificates will be limited to specific domains, to which you are allowed to deploy certificates for. This is not what you need for deep ssl inspection.
With a private CA, you can do anything you want. Like creating your own SSL certificates for www.ubs.com, www.paypal.com, etc.
This is exactly what the Fortigate is doing when deep ssl inspection is enabled. It's decrypting the SSL connection, and creating a new encrypted connection with its own CA certificate. It will generate a new connection, because it does not have the private key for the website or the CA it's intercepting (in my example Verisign & online.citi.com). So a 'deep inspected' SSL connection to online.citi.com is divided in two seperate connections.
online.citi.com <--1--> fortigate <--2--> internal computer
1: public trusted certificate. Signed by VeriSign Class 3 Public Primary CA
2: privately trusted ceritificate. Signed by YourFortigate
There is no easy way around here. If you want to open and inspect SSL connections, you have to create your own CA Certificate and deploy it or use the one which is already on the Fortigate and deploy that one.
If there is not enough knowledge to setup an own PKI, I suggest you deploy the CA certificate already on the Fortigate.
Btw. this is not a Fortigate/Fortinet limitation, this is just how SSL interception works.
Also note.. you thoroughly need to this before enabling it globaly. Because it will most likely not work with some services/application you are using right now.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
agreed
The bottomline the OP needs to determine what certificate to use and how to deploy it to the webclient
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can I purchase a Certificate Authority that allows Decrypt and Scan without needing to deploy anything to clients?
No, you cannot. HTTPS is designed so that you cannot. Consider the implications if this was not true. If you took your phone to a coffee shop and logged on to their free wifi to do banking, would you like the coffee shop to be able to see all your bank account information? Because your phone is communicating with the bank's website using HTTPS, and because the coffee shop cannot spy on the traffic without you getting a warning, you know that communication is secure. A coffee shop (or your company) cannot use a Sophos web proxy to silently decrypt all HTTPS traffic without the user allowing it, either by having them install a CA or go through browser warnings.
You must use the CA that comes with the firewall or create your own CA certificate, which can be a self-signed root. Your Microsoft Active Directory also has its own Certificate Authority (see Active Directory Certificate Services) where you can create an intermediate/leaf CA that you can use within the firewall.
If it were possible to purchase a signing CA that is ultimately authenticated by a public root CA, it would break the whole trust model on which SSL authentication is based. The trust model depends on the organizations who control the trusted root certificates being selective and applying strict criteria about when they allow a certificate to be signed. For example, they should only sign a certificate for google.com if the person requesting the certificate can prove that they control that domain.
But if they issued a certificate to a third party that could be used to sign whatever certificate that third party likes, they would basically be delegating the ability to create and sign certificates for ANY domain that would be trusted automatically by ANY browser. It would allow the purchaser of that certificate to set up their own website and pretend to be google.com, or facebook.com, or wellsfargo.com or anyone they like, and browsers would just accept it.
Regards,
Deepak Kumar
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agreed 100% with Kumar analysis.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
you need a CA and create A CSR after that attached it with your device , let me know if you still have a difficulies to support you
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
v20100,
For your basic understanding:
if you want to inspect encrypted connections you do have to use deep inspection - correct so far!
Basically in this case your FortiGate has to do somewhat Man-in-the-middle (MitM). This means it has to catch the encrypted connection and decrypt it, inspect it and then re-encrypt it and hand it on to the client.
To encrypt you need the private key for the certificate and your FGT will of course not have private keys of remote side certificates. So the FGT must use it's own certificate to do this. For this Fortinet shipped the FGTs with a self-signed Fortinet certificate plus CA Certificate which is used by default. Since it is self-signed you will indeed have to roll the Fortinet CA Certificate out to your client to enable them to validate that certificate. Otherwise your clients will give you certificate errors like you reported.
Since you would afair need a sub-ca certificate for deep inspection which you might not get in public as someone wrote before the best solution will be to set up your own CA and publish it'S CA to your clients and the FGT and then generate the sub-ca with it. I'd btw recommend to initialize certificate generation for a FGT by creating a csr on the FGT because it then already has the keys.
That's also the way I do it here.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
AFAIK, yes you need to install the fortigate certificate on all the workstations in order to trust the firewall the in inspecting your workstation traffic . using the certmgr.msc from cmd . I think you can do this via GPO if its many workstations .
This is true not only in Fortigate enviroments , we used to do that in other environments using other vendors proxies ..
Thanks
Thanks
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- SSLVPN on VDOM 811 Views
- Fortigate 40F Slow Upload Speeds 171 Views
- ACME Clarification 393 Views
- Azure Front Door on-premis Fortigate 522 Views
- Expired cert on fortigate CDN (fos-cdn.fortinet.com) 330 Views
Labels
-
FortiGate
8,485 -
FortiClient
1,719 -
5.2
801 -
FortiManager
713 -
5.4
639 -
FortiAnalyzer
548 -
FortiAP
460 -
FortiSwitch
458 -
6.0
416 -
FortiClient EMS
408 -
5.6
362 -
FortiMail
309 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
222 -
FortiWeb
200 -
5.0
196 -
IPsec
186 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
39 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.