Solved! Go to Solution.
The FortiGate Admin guide has a section on PCI compliance here which goes through some of the ways you can harden your FortiGate to comply with PCI.
FWIW & IMHO that links is useless without reference to the actual PCI DSS specifications. IMHO experiences and thru various audits, you 're best to read/review the actual PCI DSS "Requirements and Security Assessment Procedures" document. It's only like 100 pages and 12 major areas with like 4-5 that really deals wth network, systems and firewalls. It would take you less than 1-2 hour to read it for a average reader.
OP, keep this thought in mind ; " as log as you read the areas that applicable to you and can demonstrate that you meet that requirement ( paragraph and all sub-paragrahs )". Then you will always PASS a audit.
Some things will be nik-picked on like " disabling of unused accounts or re-use of passphrases " ( both of these are very hard to do without a remote authentication system aka .....authenticator radius etc.....
So read the actual PCI DSS document, FIPS mode will get you by on any weak cipher and security protocols, but PCI-DSS is more than just that & is a complete practical procedure from end2end and everything in between.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Belatedly adding from my experiences of the past few months.
Some of the things I have had to do in relation to SSL VPN functionality for PCI DSS compliance:
* installed a certificate from a trusted third-party CA for our SSL VPN connections (instead of using self-signed cert)
* disabled SSL 3.0, TLS 1.0 and TLS 1.1 connections for the SSL VPN
* set encryption/cipher algorithms to High level instead of Default (disables insecure ciphers like RC4; I think?)
* contact ISP and set up reverse DNS lookup from firewall IP to host name that matches our wildcard cert
Stephen Frost wrote:Belatedly adding from my experiences of the past few months.
Some of the things I have had to do in relation to SSL VPN functionality for PCI DSS compliance:
* installed a certificate from a trusted third-party CA for our SSL VPN connections (instead of using self-signed cert)
* disabled SSL 3.0, TLS 1.0 and TLS 1.1 connections for the SSL VPN
* set encryption/cipher algorithms to High level instead of Default (disables insecure ciphers like RC4; I think?)
* contact ISP and set up reverse DNS lookup from firewall IP to host name that matches our wildcard cert
Sounds like the exact process I'm working on!
The FortiGate Admin guide has a section on PCI compliance here which goes through some of the ways you can harden your FortiGate to comply with PCI.
FWIW & IMHO that links is useless without reference to the actual PCI DSS specifications. IMHO experiences and thru various audits, you 're best to read/review the actual PCI DSS "Requirements and Security Assessment Procedures" document. It's only like 100 pages and 12 major areas with like 4-5 that really deals wth network, systems and firewalls. It would take you less than 1-2 hour to read it for a average reader.
OP, keep this thought in mind ; " as log as you read the areas that applicable to you and can demonstrate that you meet that requirement ( paragraph and all sub-paragrahs )". Then you will always PASS a audit.
Some things will be nik-picked on like " disabling of unused accounts or re-use of passphrases " ( both of these are very hard to do without a remote authentication system aka .....authenticator radius etc.....
So read the actual PCI DSS document, FIPS mode will get you by on any weak cipher and security protocols, but PCI-DSS is more than just that & is a complete practical procedure from end2end and everything in between.
PCNSE
NSE
StrongSwan
I could use some input from others with more experience. Having followed the instructions here:
https://stuff.purdon.ca/?page_id=83
I've successfully imported a valid wildcard certificate issued by a proper third-party CA (GeoTrust). The wildcard cert is now being used for SSL VPN connections. So far so good.
My question concerns the entirety of the cert's chain ... the Intermediate and the Root signing authority certs.
These have NOT been installed to our Fortigate. The SSL VPN is working fine. But we are getting an error when we do a PCI vulnerability scan. The scan is not recognising the validity of the CA. Is this because I have not also installed the Intermediate and Root certs to the Fortigate? Or is it because there's an issue with the Qualys scan system and *it* is at fault.
What have others done when installing third-party CA certs ... install Intermediate and Root certs ... or not?
If installing, do they all go into the Local Certificates store, or ... ?
EDIT: in the meantime I have flagged the issue as a False Positive and this has been accepted by Qualys ... but I would still be interested to know what others have done when installing 3rd-party CA certs.
Stephen Frost wrote:You probably figured this out by now, but you need to install all of the certs that come in the bundle from your CA for it to work. You use Certificates...Import...CA Certificate for the TrustedRoot.crt and VendorNameCA.crt (I bought mine from Digicert).I could use some input from others with more experience. Having followed the instructions here:
https://stuff.purdon.ca/?page_id=83
I've successfully imported a valid wildcard certificate issued by a proper third-party CA (GeoTrust). The wildcard cert is now being used for SSL VPN connections. So far so good.
My question concerns the entirety of the cert's chain ... the Intermediate and the Root signing authority certs.
These have NOT been installed to our Fortigate. The SSL VPN is working fine. But we are getting an error when we do a PCI vulnerability scan. The scan is not recognising the validity of the CA. Is this because I have not also installed the Intermediate and Root certs to the Fortigate? Or is it because there's an issue with the Qualys scan system and *it* is at fault.
What have others done when installing third-party CA certs ... install Intermediate and Root certs ... or not?
If installing, do they all go into the Local Certificates store, or ... ?
EDIT: in the meantime I have flagged the issue as a False Positive and this has been accepted by Qualys ... but I would still be interested to know what others have done when installing 3rd-party CA certs.
After the Trusted Root and Intermediate certs are installed, you use Certificates...Import...Local Cert and select the cert issued by your CA based on the CSR you sent them. Some things to note:
Using and Extended Validation (EV) cert will break firmware 5.2.3. You can generate the CSR, but when you import the signed cert provided by your CA, it will turn the cert UI white making it unusable. Upgrading to 5.2.4 fixes this issue, but 5.2.4 has problems with multi-WAN and SSL (based on other forum posts) so be careful if you need that. I have two brand new 500Ds that I've been testing this with fairly simple configs, and I have confirmed the above regarding EV certs working on .4 but not .3.
If you want to get the best rating from the Qualys test site: https://www.ssllabs.com/ssltest/index.html
you should do the following:
-Consider using a Elliptic Curve instead of RSA keyed cert. RSA is not aging well and various sources have indicated that properly funded parties are better able to compromise it. When you generate the cert choose "Elliptic Curve" and "secp256r1" for the key type and curve name. (EC will not work with old browsers. Make sure you don't have some maniac at home running Windows 2000, if you do tell them to get with the program).
-Consider getting an EV cert so that your users get the nice green URL bar. I used Digicert for this. They are great.
- You need to harden your Fortinet to ensure the proper crypto algorithms and services are enabled/disabled:
config system global set strong-crypto enable end
config vpn ssl settings set sslv3 disable set algorithm high end
Again, if you do need to support legacy browser versions for some terrible reason, the above will remove SSLv3 protocol and RC4 cipher and will break compatibility (but you will be more secure). Both of these are vulnerable to compromise now and anything produced in the last 2 to 3 years will support TLS (which is essentially SSLv4) and ECDHE, so it shouldn't be an issue except for the most extreme cases. I have not had problems so far with this config.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1742 | |
1114 | |
760 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.