Hello,
Is it possibile use the let's encrypt certificate with web filter?
The goal is to set up a web filter and configure overrides without installing the certificate on all clients.
Would a self-signed certificate be better?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The LE certificate can be used in a VIP with TLS offloading (server-load-balance with TLS/HTTPS sub-type), or in SSL inspection profiles set to "protect server". Webfilter can be used in firewall policies with either of these with relative ease.
You will not be able to use it for deep-inspection of outbound general internet traffic (typical outgoing "LAN->WAN" traffic from end-user endpoints). A CA certificate is needed for that, and LE will not issue one for you. (nor will any commercial CA sell you one, to be clear)
Thank you for your reply.
So I can use LE certificate in Web Filter relative easely..
What do you mean with relative easy? What I have to do?
Potentially nothing, hence "relatively easily".
Example for a basic setup for inbound traffic filtering (e.g. to your internet-exposed webserver):
I don't recall if the intermediate CAs need to be imported into the FortiGate to posses the complete chain, but modern clients probably won't have problems with this.
I'm sorry but it's not clear to me if I need to always install the Fortinet CA certificate to use web filter with override for the outbound traffic. i.e. LAN to WAN.
The web filter hit the traffic LAN to WAN only.
For outbound traffic, where you want to inspect traffic from your LAN clients towards arbitrary third-party websites (or other services) that you do not control, you will absolutely need your own CA, and that CA needs to be installed as a trusted CA on all endpoints whose traffic is to be inspected. There is no way to circumvent this. Let's Encrypt certificates are not an option here.
A slightly easier situation is if you have a Windows AD enviromnent with an already existing root CA. If you use that root CA to issue a sub-CA for the FortiGate, you can use that for deep-inspection, and domain-joined Windows devices should automatically trust that CA. (as long as they actually have the domain root CA already installed)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.