Certificate
I am trying to send syslog from my Fortigate 40F firewall to a Syslog Server with SSL encryption but I get error "Unknown CA".
Certificate Generation
I have generated a root certificate and a server certificate following the guide found here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Send-Syslog-over-TLS-to-a-rsyslog-server/t...
I uploaded the certificates to Fortigate Firewall Certificates:
Then I have the following settings on my Firewall:
acdc-fortigate # config log syslogd settingacdc-fortigate (setting) # show
config log syslogd setting
set status enable
set server "34.10.1.5"
set mode reliable
set port 6514
set enc-algorithm high
set certificate "syslog-servercert"
end
On my collector server where I run LimaCharlie Adapter I get the following error:
Jul 09 10:57:30 dev-collector[32395]: FLO Jul 9 10:57:30: last_ack=Jul 9 10:54:10 last_pressure=Jul 9 10:54:10
Jul 09 10:57:33 dev-collector[32395]: DBG Jul 9 10:57:33: handling new connection from 38.10.23.18:49874
Jul 09 10:57:33 dev-collector[32395]: WRN Jul 9 10:57:33: conn.Read(): remote error: tls: unknown certificate authority
Jul 09 10:57:33 dev-collector[32395]: DBG Jul 9 10:57:33: connection from 38.10.23.18:49874 leaving
This is confirmed from Wireshark TC dump on server:
Summary
My suggestion is that there is something wrong with the certificate I have generated by following the tutorial https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/320832/creating-certificates...
Anyone have any suggestion on how to fix this issue?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
- What is the SNI value which the firewall is sending the client hello packet?
- What is the server cert which you are getting as per the server hello and the CA which signed the certificate?
You may have to expand the capture and show the details of the client hello and certificate.
Regards,
Shiva
What is the SNI value which the firewall is sending the client hello packet?
There is no SNI value ssl.handshake.extensions_server_name in the client hello.
What is the server cert which you are getting as per the server hello and the CA which signed the certificate?
From Server Hello I see that I get the 'ACD_FGT' certificate.
Hi,
Can you please expand the issuer field as well?
Regards,
Shiva
Issuer field from server hello
Hi,
Is A_CA a intermidiate CA? I can see that there is a difference in common name. You can export the packet bytes of the capture and save it is a crt file and open it and verify the certificate. Please check if "X509v3 Basic Constraints:" Marked as "CA:TRUE"
Regards,
Shiva
The screenshot is confusing.
rdnSequence says the issuer's CN is "A_CA"
the individual entry shows the CN is "ADVANIACDC_CA"
Can you download that cert and confirm which is it? (it can't be both, that's too weird).
Right-click the "Certificate [truncated]" line -> Export Packet bytes -> save this somewhere as a file with a .cer extension, then open and inspect it as usual.
the same as UDP syslog in that logstash/syslog sees it as one big line for numerous log entries. I have logstash writing it to a log file and I do see data so its being encrypted, but if you tail just one line of the log file, it runs
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.