Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Certificate for https traffic
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Certificate for https traffic
Not sure it is in the correct thread.
Running on 200D 5.4.8
This is mainly for AV.
In order to detect viruses, we needed to add the SSL/SSH inspection and by selecting "Certificate Inspection", the firewall now detects viruses but only for non encrypted traffic.
As most of the traffic is now via https, we need to select instead "Deep Inspection"
However, all the sites now come with certificate errors.
The engineer assigned to our case, told us that we need to install the Fortigate certificate on all our workstations, which is not really possible. too many devices (windows, IOS, MAc and Android) and too many browsers
He said the alternative was to purchase a CA certificate and install it, but was not able to advise further.
Have many of you used that technique? I am guessing that it becomes more and more common to implement viruses/malware scanning at the gateway level, and this would be the easiest method now that 90% traffic is encrypted?
What CA would you recommend?
We already have a 'standard' certificate installed on the Fortigate for SSLVPN to avoid the errors.
When requesting the CA certificate, do we also use the same DNS name?
And it will not interfere with the current cert installed for SSLVPN?
Thanks in advance
Solved! Go to Solution.
Labels:
- Labels:
-
5.4
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I find it strange that Fortinet does not have a built-in public certificate that should be used for this. Surely, if it says it can scan for viruses/etc on the fly, it should provide the facility out of the box!
It's not possible to buy such public intermediate CA certificate! This would totally break SSL encryption. You'd be able to fake every SSL Website/Service worldwide.
Public intermediate CA certificates will be limited to specific domains, to which you are allowed to deploy certificates for. This is not what you need for deep ssl inspection.
With a private CA, you can do anything you want. Like creating your own SSL certificates for www.ubs.com, www.paypal.com, etc.
This is exactly what the Fortigate is doing when deep ssl inspection is enabled. It's decrypting the SSL connection, and creating a new encrypted connection with its own CA certificate. It will generate a new connection, because it does not have the private key for the website or the CA it's intercepting (in my example Verisign & online.citi.com). So a 'deep inspected' SSL connection to online.citi.com is divided in two seperate connections.
online.citi.com <--1--> fortigate <--2--> internal computer
1: public trusted certificate. Signed by VeriSign Class 3 Public Primary CA
2: privately trusted ceritificate. Signed by YourFortigate
There is no easy way around here. If you want to open and inspect SSL connections, you have to create your own CA Certificate and deploy it or use the one which is already on the Fortigate and deploy that one.
If there is not enough knowledge to setup an own PKI, I suggest you deploy the CA certificate already on the Fortigate.
Btw. this is not a Fortigate/Fortinet limitation, this is just how SSL interception works.
Also note.. you thoroughly need to this before enabling it globaly. Because it will most likely not work with some services/application you are using right now.
17 REPLIES 17
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I deploy really often the Deep-inspection solution. You don't need to buy a CA certificate. There is someway to archieve the goal:
- Have a CA Certificate in your Active Directory.
or
- Build you own CA certificate and deploy it in the GPO in the Trusted Root Certificate. That's is my prefered!
SSLVPN and CA are used in two different purposes. The CA certificate is used to decrypt and then re-encrypt the traffic to the destination computer. That's the reason computers have to trust this CA as a known trusted CA.1
To create a CA certificate, I'm using XCA, it works really fine: https://sourceforge.net/projects/xca/
Have a nice day.
Philippe
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone,
We are doing A/V on our FortiWiFi60E running FortiGateOS 6.0. Already purchased a SSL cert from a public CA authority. However, have problem uploading it into the Certificate DB into Forti60E. The CA authority send a wildcard cert for our company along with an Intermediate CA cert. The wildcard cert loads into Forti60E Certificate DB in the Certificate top sections, while the Intermediate CA certs loads into the External CA section. However, when selecting in the policy for SSL deep inspection, only the Local CA cert Forti_CA_SSL shows in the drop down list! which is the default builtin Fortinet cert. How can we select from External CA section for the SSL deep inspection cert??? Any help would be appropriated.
PS We do have a local CA running, but this would require uploading local CA cert into every device, which is not desired.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a browsing rule for yourself only, and enable the deep inspection and select the VPN cert and see if you get errors.... but if they recomend a CA cert then it might still cause issues seeing you say it's a "standard" cert.
CA cert will not cause issues with your VPN cert as you will not be asigning the CA cert to the VPN config...
We rolled out the Fortigate cert (what a mission that is) so we are using that for now, but will probably also go the CA route at some point as installing the fortigate cert on devices is becoming a mission
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wait
Do what was said b4 build your own CA and you still need to have that certifcate installed and trusted on the client. So no matter what you do, you ( private SelfSign or whatever ) the clients will need the certificate trusted.
The other option ( please don't do this ) is to remove certificate validation from the client, You could do this but now any site would be valid since no validation has taken place
That would be the iequal of curl -k for example.
The engineer assigned to our case, told us that we need to install the Fortigate certificate on all our workstations, which is not really possible. too many devices (windows, IOS, MAc and Android) and too many browsers
You have a CA certificate on the fortigate now, export that one if you don't want to craft a new one. When support tells you these things they should explain and process.
http://socpuppet.blogspot.com/2016/10/a-quick-and-sure-to-know-if-ssl.html
and FWIW, no commercial CA will blindly give you a CA intermediate certificate under normal means. Going to godaddy for example and buying a certificate is a "web server" certificate not a CA cert. So keep that in mind.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So if I understanding A/V SSL deep inspection correctly, cannot be done unless is a local CA root authority certificate? public CA authorities such as Godaddy, only give intermediate CA cert, which does not contain the private key, hence no good for A/V SSL deep inspection?? Yes or No?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
If you want to "see" the content of outgoing https traffic then installing CA into clients is mandatory whatever the CA is yours or from FGT. This is because FGT now needs to do the deep-inspection with certificate re-sign. If you only need to check the Url then certificate-inspection can meet.
Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi MAK,
If you want to use your CA to do the certificate re-sign rather than the build-in one , you have to upload both the CA and key. This is because FGT will use the 'key' + CA info to re-sign the certificates coming from outside world. And yes, the public CA authorities usually won't give you the key of intermediate CA cert because if you have that key on hand, then you can sign other certificates with it as well, which means you become a sub CA authority.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks everyone
Still confused on what we can do or not!
As mentioned in the original post, we cannot deploy the certificates to clients, as we have too many device types, and many not on AD/GPO.
I find it strange that Fortinet does not have a built-in public certificate that should be used for this. Surely, if it says it can scan for viruses/etc on the fly, it should provide the facility out of the box!
It sounds it is technically difficult to implement this.
Kurtly_ftnt, you seem to have managed to get it going without deployment to each devices. Sorry my knowledge about 'certificate' is not that great. Can you please elaborate on the steps to upload the CA and Key?
Anybody has been able to get AV scanning for HTTPS traffic without deploying certificate to each devices and browsers?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I find it strange that Fortinet does not have a built-in public certificate that should be used for this. Surely, if it says it can scan for viruses/etc on the fly, it should provide the facility out of the box!
They ( FTNT ) has SelfSign Certificate CA type not public known. if they did what you are asking they would have to pay big bucks to join WEBCAB to have their CAcert trusted by all of those devices "you need the cert on", since you don't want to distribute the cert. FTNT is not in the business as a CA.
It sounds it is technically difficult to implement this.
No. it's really not that hard ;) Your understanding of the process is not clear. You injecting a MiTM is not something done easily if you want it to work. You don't wake up and deploy a HTTPS MiTM device and think it's going to work much like a US SPACE Program doesn't place a rocket engine on a pair of wings and think it will fly to mars ;)
You do have one more option that could be explored, and which requires NO cert and only will work for HTTP/HTTPS/FTP but has other gotchas
If your goal is to inspect HTTPS/HTTP , defined the fortigate as explicit proxy and then you can do all that you want with out deploying certs across devices. You will still need to publish the proxy to the clients which is the gotcha ( WPAD or PAC )
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- SSLVPN on VDOM 811 Views
- Fortigate 40F Slow Upload Speeds 171 Views
- ACME Clarification 393 Views
- Azure Front Door on-premis Fortigate 522 Views
- Expired cert on fortigate CDN (fos-cdn.fortinet.com) 330 Views
Labels
-
FortiGate
8,485 -
FortiClient
1,719 -
5.2
801 -
FortiManager
713 -
5.4
639 -
FortiAnalyzer
548 -
FortiAP
460 -
FortiSwitch
458 -
6.0
416 -
FortiClient EMS
408 -
5.6
362 -
FortiMail
309 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
222 -
FortiWeb
200 -
5.0
196 -
IPsec
186 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
39 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.