Scan is coming back with failures on the follow, these all relate to either the Fortinet_CA or the Fortinet_Sub_CA. I've already updated my certificate for Administration as well as my SSL VPN certificate with a valid certificate. How can I go about updating the items below? Being they appear to be Root CAs I don't see them "attached" anywhere. When I look at Certificates in the unit they show up under Remote CA Certificates. Basically it doesn't like the length of these or the fact that they are showing as self-signed. I'm assuming if I remove these it will cause issues with other Fortinet Certificates, best option to proceed?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I turned off the keepalive and even though the Captive Portal was off, I changed the SSL cert on it to my a non-self signed. Ran the scan again and I'm good now!
Hello gsieg, Good day!
I wonder if you have already referred the below link:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Resolving-PCI-Compliance-Failure-Due-to-Fo...
Please confirm the port number on which the compliance is failing. If it is not the SSLVPN port, then this reference should help you to narrow down the issue.
Thank you!
Yes, I did find that and it resolved 3 items, but these remain. One item while I did update the SSL Cert, I did not change the admin port to 4443, I left it at 443 as I have SSL VPN on 4443. Don't think it matter especially since that is the not port being flagged but figured I'd mention it as I didn't follow that document to a "T" -
Port 1000 and 1003 are the ports failing.
Doing some searching specifically on the ports and not on the certificates I'm finding that Port 1000 is used for authentication keepalives primarily and Port 1003 is used with 1000 for the Captive portal, neither of which I am utilizing. I just disabled the Keepalive, but it doesn't appear Captive Portal is on, doing more research.
I turned off the keepalive and even though the Captive Portal was off, I changed the SSL cert on it to my a non-self signed. Ran the scan again and I'm good now!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.