- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Check certificate revocation for SSLVPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check certificate revocation for SSLVPN
Hi,
I have a FortiGate using OS v5.2.8 and a Windows Server 2012 R2 with certificate services installed + OCSP is running.
When I create a PKI user the certificate is checked online during the SSLVPN connection start:
2016-08-14 20:46:50 fnbamd_fsm.c[2146] handle_req-Rcvd auth_cert req id=869183948 2016-08-14 20:46:50 fnbamd_auth.c[1308] check_cert-CA found: CA_Cert_3 2016-08-14 20:46:50 fnbamd_auth.c[1617] cert_check_group_list-checking group type 1 group name 'SSL_PKI' 2016-08-14 20:46:50 fnbamd_auth.c[1510] check_add_peer-check peer user 'ituser1' in group 'SSL_PKI', result is 0 2016-08-14 20:46:50 fnbamd_auth.c[1642] cert_check_group_list-Status pending for group 'SSL_PKI' 2016-08-14 20:46:50 fnbamd_cert.c[354] fnbamd_ocsp_start-Created OCSP request 2016-08-14 20:46:50 fnbamd_cert.c[114] ocsp_connect-Try url 1: host=dc1.gts.cz port=80(http) path=/ocsp 2016-08-14 20:46:50 fnbamd_cert.c[492] _fnbamd_ocsp_get_rsp-tcp connected 2016-08-14 20:46:50 fnbamd_cert.c[523] _fnbamd_ocsp_get_rsp-Sent OCSP request 2016-08-14 20:46:50 fnbamd_cert.c[537] _fnbamd_ocsp_get_rsp-recv returned: 2134 2016-08-14 20:46:50 fnbamd_cert.c[537] _fnbamd_ocsp_get_rsp-recv returned: 0 2016-08-14 20:46:50 fnbamd_cert.c[596] _fnbamd_ocsp_get_rsp-Received OCSP response 2016-08-14 20:46:50 fnbamd_cert.c[328] ocsp_verify_rsp-*** Certificate status is good 2016-08-14 20:46:50 fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 0 for req 869183948
When I try to use other than PKI user (let's say LDAP user) the revocation list is not checked:
2016-08-14 20:48:35 fnbamd_fsm.c[2146] handle_req-Rcvd auth_cert req id=869183949 2016-08-14 20:48:35 fnbamd_auth.c[1308] check_cert-CA found: CA_Cert_3 2016-08-14 20:48:35 fnbamd_auth.c[1608] cert_check_group_list-group list is null 2016-08-14 20:48:35 fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 0 for req 869183949
Does it mean that only the PKI user certificates can be checked for revocation via OCSP? Or some other settings are missing?
AtiT
AtiT
Labels:
- Labels:
-
5.2
0 REPLIES 0
Related Posts
- SSL VPN connection attempt prompts Fortiguard... 64 Views
- 2 separate SSLVPNs with 2 separate... 301 Views
- User Getting The server you want... 480 Views
- Forticlient 7.2.4 trying to use certificates... 19536 Views
- VPNSSL connection almost impossible, reset at... 1678 Views
Labels
-
FortiGate
6,937 -
FortiClient
1,366 -
5.2
801 -
5.4
639 -
FortiManager
600 -
FortiAnalyzer
438 -
6.0
416 -
5.6
362 -
FortiAP
362 -
FortiSwitch
358 -
FortiClient EMS
281 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
168 -
6.4
128 -
FortiNAC
123 -
FortiGuard
111 -
IPsec
98 -
FortiGateCloud
92 -
FortiSIEM
91 -
SSL-VPN
87 -
FortiCloud Products
85 -
FortiToken
75 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
FortiEDR
42 -
SD-WAN
42 -
Fortivoice
41 -
FortiDNS
37 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
High Availability
28 -
FortiAuthenticator
27 -
VLAN
27 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
FortiConverter
21 -
FortiGate v5.2
19 -
DNS
19 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
SAML
17 -
LDAP
17 -
Certificate
17 -
BGP
16 -
VDOM
16 -
FortiMonitor
14 -
FortiLink
14 -
Interface
14 -
Logging
14 -
Authentication
13 -
FortiGate v5.0
13 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
NAT
11 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Fortigate Cloud
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
SSID
8 -
FortiBridge
8 -
WAN optimization
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
IP address management - IPAM
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
Web application firewall profile
6 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 991 | |
| 827 | |
| 462 | |
| 440 | |
| 132 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.