- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configuring Syslog for Mutually-Authenticated TLS Transport Using Local CA
Hello,
This is my first post so just let me know if there's standard information you need. We have a couple of Fortigate 100 systems running 6.0.7. Currently they send unencrypted data to our (Logstash running on CentOS 8) syslog servers over TCP. That's OK for now because the Fortigate and the log servers are right next to each other, but we want to move the servers to a data center, so we need to encrypt the log traffic. We use a company CA to sign certificates for both the servers and the clients. The setup is confirmed to work with our servers, but I'm having trouble getting it set up on the Fortigate systems and wondered if someone could give me few hints?
What I've done so far is:
[ul]We use the unnumbered syslogd client to send the unencrypted data, so are configuring syslogd2 for TLS as an experiment until we get it right:
config log syslogd2 setting set status enable set server "192.168.100.49" set mode reliable set port 10516 set enc-algorithm high set ssl-min-proto-version TLSv1-2 set certificate "TestClientCertificate" end
What I'm seeing is exactly nothing, unfortunately... the most difficult situation to debug. Running tcpdump on the target server confirms that there is no data inbound to the server from the Fortigate on TCP/10516, but plenty is coming in on the port used for the unencrypted traffic. Also if I disable TLS sending, on the above, and just send unencrypted data to TCP/10516, the data is clearly (too clearly!) visible.
So I guess my first question is where to look for any diagnostic messages that might give me some hints about what's going on, and second, what might be wrong with my configuration? Just let me know if there's something I can try/send that would help resolve this!
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I guess this is as much a mystery to everyone else as it is to me! Here's a bit of additional information. If I unset the certificate configuration line, so that the configuration looks like this:
config log syslogd2 setting set status enable set server "192.168.100.49" set mode reliable set port 10516 set enc-algorithm high set ssl-min-proto-version TLSv1-2 end
then traffic IS sent to the server, however what happens is that the TLS handshake fails. There doesn't seem to be any indication of this on the Fortigate itself (are there logs for such things?), but on the server side I can see that the Fortigate is sending back an TLSV1_ALERT_UNKNOWN_CA message. However the correct CA certificate does seem to be installed:
config vpn certificate ca edit "CA_Cert_1" set range global next end
One thing that concerns me is that in the CLI, the above is part of the VPN configuration, so maybe that part of the configuration is not visible to the logging subsystem? In the GUI there is no indication that this is specific to VPNs. It's just System > Certificates. But if the certificates are partitioned by usage, how do I import a CA certificate that will be usable for logging, or make the one I have usable?
Also I guess a secondary question is why would setting a client certificate prevent sending any traffic at all? But first things first!