Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DavidMcQueenLPS
New Contributor

Created on ‎07-09-2019 12:55 PM

Replace Fortigate Certificate for Explicit Proxy (6.03)

I found a cookbook article for 5.2 but that doesn't hold for 6.03.

 

https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-security-profiles-52/Other_Profi...

 

We are trying to transition from a Squid based Man in the Middle filter system to the Fortigate.  We do not want to install the fortigate cert on all the machines, since we already have one installed and working.  Much rather make that one the signer on the fortigate.

 

 

 

14570
0 Kudos
11 REPLIES 11
hubertzw
Contributor III

Created on ‎07-10-2019 02:42 AM

You can use internal certificate authority, on FGT you need to generate CSR and then issue certificate (template „Subordinate Certification Authority”)

8949
0 Kudos
DavidMcQueenLPS
New Contributor
In response to hubertzw

Created on ‎07-10-2019 05:06 AM

I have the Certificate installed and being used for SSL Deep Packet Inspection and it is working great there.  The explicit proxy does not use this one and I cannot seem to locate how, in 6.03, to point it to this cert.

 

 

8949
0 Kudos
hubertzw
Contributor III
In response to DavidMcQueenLPS

Created on ‎07-10-2019 06:13 AM

In the proxy policy you have Security Profiles, as with Firewall Policies. Set the profile with the correct cert

8949
0 Kudos
DavidMcQueenLPS
New Contributor
In response to hubertzw

Created on ‎07-10-2019 06:44 AM

Here is my Proxy Policy....I will replay 3 more times with the Options, Web Filter and SSL Inspection info (only 1 image per post).

Preview file
64 KB
8949
0 Kudos
hubertzw
Contributor III
In response to DavidMcQueenLPS

Created on ‎07-10-2019 09:07 AM

What do you see in the UTM logs? You can also enable logging all sessions just for the troubleshooting

8949
0 Kudos
DavidMcQueenLPS
New Contributor

Created on ‎07-10-2019 07:26 AM

Proxy Options:

 

Preview file
43 KB
8949
0 Kudos
DavidMcQueenLPS
New Contributor
In response to DavidMcQueenLPS

Created on ‎07-10-2019 07:40 AM

Web Filter:

 

Preview file
81 KB
8949
0 Kudos
DavidMcQueenLPS
New Contributor
In response to DavidMcQueenLPS

Created on ‎07-10-2019 08:07 AM

SSL/SSH Inspection Profile:

 

Preview file
63 KB
8949
0 Kudos
DavidMcQueenLPS
New Contributor

Created on ‎07-11-2019 10:48 AM

So I ended up opening a support ticket for this issue.

 

The engineer noticed something that should not be possible.  In the Proxy Policy the service was not set.  I say that this is not possible, because that is a required field.  When the engineer was changing the Logging options, it error'd on that field until it was set.

 

So all is functioning.  Still not sure why I was getting the Fortigate's self signed cert, but problem solved.

 

 

8949
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.