Category Archives: FortiGate

Single sign-on to Windows AD

Single sign-on to Windows AD

The FortiGate unit can authenticate users transparently and allow them network access based on their privileges in Windows AD. This means that users who have logged on to the network are not asked again for their credentials to access network resources through the FortiGate unit, hence the term “Single Sign-On” (SSO).

The following topics are included:

l Introduction to SSO with Windows AD l Configuring SSO to Windows AD l FortiOS FSSO log messages l Testing FSSO l Troubleshooting FSSO

Introduction to SSO with Windows AD

SSO support provided by FortiGate polling of domain controllers is simpler than the earlier method that relies on agent software installed on Windows AD network servers. No Fortinet software needs to be installed on the Windows network. The FortiGate unit needs access only to the Windows AD global catalog and event log.

When a Windows AD user logs on at a workstation in a monitored domain, the FortiGate unit:

l detects the logon event in the domain controller’s event log and records the workstation name, domain, and user, l resolves the workstation name to an IP address, l uses the domain controller’s LDAP server to determine which groups the user belongs to, l and creates one or more log entries on the FortiGate unit for this logon event as appropriate.

When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. The selection consists of matching the FSSO group or groups the user belongs to with the security policy or policies that match that group. If the user belongs to one of the permitted user groups associated with that policy, the connection is allowed. Otherwise the connection is denied.

Configuring SSO to Windows AD

On the FortiGate unit, security policies control access to network resources based on user groups. With Fortinet SSO, this is also true but each FortiGate user group is associated with one or more Windows AD user groups. This is how Windows AD user groups get authenticated in the FortiGate security policy.

Fortinet SSO (FSSO) sends information about Windows user logons to FortiGate units. If there are many users on your Windows AD domains, the large amount of information might affect the performance of the FortiGate unit.

To configure your FortiGate unit to operate with either a Windows AD or a Novell eDirectory FSSO install, you Configuring SSO to Windows AD

  • Configure LDAP access to the Windows AD global catalog. See Configuring LDAP server access on page 139.
  • Configure the LDAP Server as a Single Sign-On server. See Configuring the LDAP server as an SSO server on page 140.
  • Add Active Directory user groups to FortiGate FSSO user groups. See Creating FSSO user groups on page 141. l Create security policies for FSSO-authenticated groups. See Creating security policies on page 141.
  • Optionally, specify a guest protection profile to allow guest access. See Enabling guest access through FSSO security policies on page 143

Configuring LDAP server access

The FortiGate unit needs access to the domain controller’s LDAP server to retrieve user group information.

The LDAP configuration on the FortiGate unit not only provides access to the LDAP server, it sets up the retrieval of Windows AD user groups for you to select in FSSO. The LDAP Server configuration, found under User & Device > LDAP Servers, includes a function to preview the LDAP server’s response to your distinguished name query. If you already know the appropriate Distinguished Name (DN) and User DN settings, you may be able to skip some of the following steps.

To add an LDAP server – web-based manager:

  1. Go to User & Device > LDAP Servers and select Create New.
  2. Enter the Server IP/Name and Server Port (default 389).
  3. In the Common Name Identifier field, enter sAMAccountName.The default common name identifier is cn. This is correct for most LDAP servers. However some servers use other identifiers such as uid.
  4. In the Distinguished Name field, enter your organization distinguished name. In this example, Distinguished Name is dc=techdoc,dc=local
  5. Select Fetch DN, this will fetch the Windows AD directory.
  6. Set Bind Type to
  7. In the User DN field, enter the administrative account name that you created for FSSO. 139

For example, if the account is administrator, enter “administrator@techdoc.local”.

  1. Enter the administrative account password in the Password
  2. Optionally select Secure Connection.

l In the Protocol field, select LDAPS or STARTTLS. l In the Certificate field, select the appropriate certificate for authentication.

Note that you need to configure the Windows AD for secure connection accordingly.

  1. Select OK.
  2. Test your configuration by selecting the Test A successful message confirming the right settings appears.

To configure LDAP for FSSO – CLI example:

config user ldap edit LDAP set server 10.10.20.3 set cnid sAMAccountName set dn dc=techdoc,dc=local set type regular

set username administrator@techdoc.local set password <your_password>

next

end

Configuring the LDAP server as an SSO server

The LDAP server must be added to the FortiGate SSO configuration.

To add the LDAP server as an SSO server:

  1. Go to Security Fabric > Fabric Connectors and select Create New.
  2. Enter the following:
SSO/Identity Select Poll Active Directory Server.
Server IP/Name Server Name or IP address of the Domain Controller.
User A Domain user name.

 

Configuring SSO to Windows AD

Password The user’s password.
LDAP Server Select the LDAP server you added earlier.
Enable Polling Enable.
  1. Select OK.

Creating FSSO user groups

You cannot use Windows or Novell groups directly in FortiGate security policies. You must create FortiGate user groups of the FSSO type and add Windows or Novell groups to them.

To create a user group for FSSO authentication – web-based manager:

  1. Go to User & Device > User Groups and select Create New. The New User Group dialog box opens.
  2. In the Name box, enter a name for the group, FSSO_Internet_users for example.
  3. In Type, select Fortinet Single Sign-On (FSSO).
  4. In Members, select the required FSSO
  5. Select OK.

To create the FSSO_Internet-users user group – CLI

config user group edit FSSO_Internet_users set group-type fsso-service

set member CN=Engineering,cn=users,dc=office,dc=example,dc=com

CN=Sales,cn=users,dc=office,dc=example,dc=com end

Default FSSO group

SSO_Guest_users is a default user group enabled when FSSO is configured. It allows guest users on the network who do not have an FSSO account to authenticate and have access to network resources. See Enabling guest access through FSSO security policies on page 143.

Creating security policies

Policies that require FSSO authentication are very similar to other security policies. Using identity-based policies, you can configure access that depends on the FSSO user group. This allows each FSSO user group to have its own level of access to its own group of services

In this situation, Example.com is a company that has its employees and authentication servers on an internal network. The FortiGate unit intercepts all traffic leaving the internal network and requires FSSO authentication to access network resources on the Internet. The following procedure configures the security policy for FSSO authentication. FSSO is installed and configured including the RADIUS server, FSSO Collector agent, and user groups on the FortiGate

For the following procedure, the internal interface is port1 and the external interface connected to the Internet is port2. There is an address group for the internal network called company_network. The FSSO user group is called fsso_group, and the FSSO RADIUS server is fsso_rad_server.

To configure an FSSO authentication security policy – web-based manager:

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information.
Incoming Interface port1
Source Address company_network
Source User(s) fsso_group
Outgoing Interface port2
Destination Address all
Schedule always
Service HTTP, HTTPS, FTP, and Telnet
Action ACCEPT
NAT ON
UTM Security Profiles ON for AntiVirus, IPS, Web Filter, and Email Filter, all using default profiles.
Log Allowed Traffic ON. Select Security Events.
  1. Select OK.
  2. Ensure the FSSO authentication policy is higher in the policy list than more general policies for the same interfaces.

To create a security policy for FSSO authentication – CLI:

config firewall policy edit 0 set srcintf port1 set dstintf port2 set srcaddr company_network

set dstaddr all set action accept set groups fsso_group set schedule always set service HTTP HTTPS FTP TELNET set nat enable

end

Here is an example of how this FSSO authentication policy is used. Example.com employee on the internal company network logs on to the internal network using their RADIUS username and password. When that user attempts to access the Internet, which requires FSSO authentication, the FortiGate authentication security policy FortiOS FSSO log messages

intercepts the session, checks with the FSSO Collector agent to verify the user’s identity and credentials, and then if everything is verified the user is allowed access to the Internet.

Enabling guest access through FSSO security policies

You can enable guest users to access FSSO security policies. Guests are users who are unknown to Windows AD and servers that do not logon to a Windows AD domain.

To enable guest access in your FSSO security policy, add an identity-based policy assigned to the built-in user group SSO_Guest_Users. Specify the services, schedule and UTM profiles that apply to guest users — typically guests have access to a reduced set of services. See Creating security policies on page 141.

FortiOS FSSO log messages

There are two types of FortiOS log messages — firewall and event. FSSO related log messages are generated from authentication events. These include user logon and log off events, and NTLM authentication events. These log messages are central to network accounting policies, and can also be useful in troubleshooting issues. For more information on firewall logging, see Enabling security logging on page 84. For more information on logging, see the FortiOS Handbook Logging and Reporting guide.

Enabling authentication event logging

For the FortiGate unit to log events, that specific type of event must be enabled under logging.

When VDOMs are enabled certain options may not be available, such as CPU and memory usage events. You can enable event logs only when you are logged on to a VDOM; you cannot enable event logs globally.

To ensure you log all the events needed, set the minimum log level to Notification or Information. Firewall logging requires Notification as a minimum. The closer to Debug level, the more information will be logged.

To enable event logging:

  1. Go to Log & Report > Log Settings.
  2. Under Log Settings, set Event Logging to Customize and select
System activity event All system-related events, such as ping server failure and gateway status.
User activity event All administration events, such as user logins, resets, and configuration updates.
  1. Select Apply.

      List of FSSO related log messages

Message ID Severity Description
43008 Notification Authentication was successful
43009 Notification Authentication session failed

 

Testing

Message ID Severity Description
43010 Warning Authentication locked out
43011 Notification Authentication timed out
43012 Notification FSSO authentication was successful
43013 Notification FSSO authentication failed
43014 Notification FSSO user logged on
43015 Notification FSSO user logged off
43016 Notification NTLM authentication was successful
43017 Notification NTLM authentication failed

For more information on logging, see the FortiOS Handbook Logging and Reporting guide.

Extra filter options for security events

Logon events are detected by the FSSO CA by monitoring the Security Event logs. Additional logon event filters, such as ServiceName and ServiceID, have been implemented so as to avoid instances of conflicting security events, where existing user information could be overwritten.

Testing FSSO

Once FSSO is configured, you can easily test to ensure your configuration is working as expected. For additional FSSO testing, see Troubleshooting FSSO on page 145.

  1. Logon to one of the stations on the FSSO domain, and access an Internet resource.
  2. Connect to the CLI of the FortiGate unit, and if possible log the output.
  3. Enter the following command:diagnose debug authd fsso list
  4. Check the output. If FSSO is functioning properly you will see something similar to the following:

—-FSSO logons—-

IP: 192.168.1.230 User: ADMINISTRATOR Groups: VLAD-AD/DOMAIN USERS

IP: 192.168.1.240 User: ADMINISTRATOR Groups: VLAD-AD/DOMAIN USERS

Total number of users logged on: 2

—-end of FSSO logons—-

The exact information will vary based on your installation.

  1. Check the FortiGate event log, for FSSO-auth action or other FSSO related events with FSSO information in the message field.
  2. To check server connectivity, run the following commands from the CLI:

FGT# diagnose debug enable

FGT# diagnose debug authd fsso server-status

FGT# Server Name Connection Status      ———– —————–

SBS-2003 connected

Troubleshooting FSSO

When installing, configuring, and working with FSSO some problems are quite common. A selection of these problems follows including explanations and solutions.

Some common Windows AD problems include:

l General troubleshooting tips for FSSO l Users on a particular computer (IP address) can not access the network l Guest users do not have access to network

General troubleshooting tips for FSSO

The following tips are useful in many FSSO troubleshooting situations.

  • Ensure all firewalls are allowing the FSSO required ports through.

FSSO has a number of required ports that must be allowed through all firewalls or connections will fail. These include: ports 139, 389 (LDAP), 445, 636 (LDAP).

  • Ensure there is at least 64kbps bandwidth between the FortiGate unit and domain controllers. If there is insufficient bandwidth, some FSSO information might not reach the FortiGate unit. The best solution is to configure traffic shaping between the FortiGate unit and the domain controllers to ensure that the minimum bandwidth is always available.

Users on a particular computer (IP address) can not access the network

Windows AD Domain Controller agent gets the username and workstation where the logon attempt is coming from. If there are two computers with the same IP address and the same user trying to logon, it is possible for the authentication system to become confused and believe that the user on computer_1 is actually trying to access computer_2.

Windows AD does not track when a user logs out. It is possible that a user logs out on one computer, and immediate logs onto a second computer while the system still believes the user is logged on the original computer. While this is allowed, information that is intended for the session on one computer may mistakenly end up going to the other computer instead. The result would look similar to a hijacked session. Solutions

l Ensure each computer has separate IP addresses. l Encourage users to logout on one machine before logging onto another machine. l If multiple users have the same username, change the usernames to be unique. l Shorten timeout timer to flush inactive sessions after a shorter time.

Guest users do not have access to network

A group of guest users was created, but they don’t have access.

Solution

The group of the guest users was not included in a policy, so they do not fall under the guest account. To give them access, associate their group with a security policy.

Additionally, there is a default group called SSO_Guest_Users. Ensure that group is part of an identity-based security policy to allow traffic.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Single sign-on using a FortiAuthenticator unit

Single sign-on using a FortiAuthenticator unit

If you use a FortiAuthenticator unit in your network as a single sign-on agent, l Users can authenticate through a web portal on the FortiAuthenticator unit.

l Users with FortiClient Endpoint Security installed can be automatically authenticated by the FortiAuthenticator unit through the FortiClient SSO Mobility Agent.

The FortiAuthenticator unit can integrate with external network authentication systems such as RADIUS and LDAP to gather user logon information and send it to the FortiGate unit.

User’s view of FortiAuthenticator SSO authentication

There are two different ways users can authenticate through a FortiAuthenticator unit.

Users without FortiClient Endpoint Security – SSO widget

To log onto the network, the user accesses the organization’s web page with a web browser. Embedded on that page is a simple logon widget, like this:

                                User not logged in. Click Login to go to the FortiAuthenticator login page.
                   User logged in. Name displayed. Logout button available.

The SSO widget sets a cookie on the user’s browser. When the user browses to a page containing the login widget, the FortiAuthenticator unit recognizes the user and updates its database if the user’s IP address has changed. The user will not need to re-authenticate until the login timeout expires, which can be up to 30 days.

Users with FortiClient Endpoint Security – FortiClient SSO Mobility Agent

The user simply accesses resources and all authentication is performed transparently with no request for credentials. IP address changes, such as those due to WiFi roaming, are automatically sent to the

FortiAuthenticator unit. When the user logs off or otherwise disconnects from the network, the FortiAuthenticator unit is aware of this and deauthenticates the user.

The FortiClient SSO Mobility Agent, a feature of FortiClient Endpoint Security v5.0, must be configured to communicate with the appropriate FortiAuthenticator unit. After that, the agent automatically provides user name and IP address information to the FortiAuthenticator unit for transparent authentication.

Administrator’s view of FortiAuthenticator SSO authentication

You can configure either or both of these authentication types on your network.

Configuring the FortiAuthenticator unit

SSO widget

Single sign-on using a FortiAuthenticator

You need to configure the Single Sign-On portal on the FortiAuthenticator unit. Go to Fortinet SSO Methods > SSO > Portal Services to do this. Copy the Embeddable login widget code for use on your organization’s home page. Identity-based security policies on the FortiGate unit determine which users or groups of users can access which network resources.

FortiClient SSO Mobility Agent

Your users must be running at least FortiClient Endpoint Security v5.0 to make use of this type of authentication.

On the FortiAuthenticator unit, you need to select Enable FortiClient SSO Mobility Agent Service, optionally select Enable Authentication and choose a Secret key. Go to Fortinet SSO Methods > SSO > General. You need to provide your users the FortiAuthenticator IP address and secret key so that they can configure the FortiClient SSO Mobility Agent on their computers. See Configuring the FortiGate unit on page 135.

Configuring the FortiAuthenticator unit

The FortiAuthenticator unit can poll FortiGate units, Windows Active Directory, RADIUS servers, LDAP servers, and FortiClients for information about user logon activity.

To configure FortiAuthenticator polling:

  1. Go to Fortinet SSO Methods > SSO > General.
  2. In the FortiGate section, leave the Listening port at 8000, unless your network requires you to change this. The FortiGate unit must allow traffic on this port to pass through the firewall.

Optionally, you can set the Login Expiry time. This is the length of time users can remain logged in before the system logs them off automatically. The default is 480 minutes (8 hours).

  1. Select Enable Authentication and enter the Secret key. Be sure to use the same secret key when configuring the FSSO Agent on FortiGate units.
  2. In the Fortinet Single Sign-On (FSSO) section, enter
Enable Windows Active Directory domain controllers Select for integration with Windows Active Directory.
Enable Radius accounting SSO clients Select if you want to use a Remote Radius server.
Enable Syslog SSO Select for integration with Syslog server.
Enable FortiClient SSO Mobility Agent service

Enable Authentication

Select both options to enable single sign-on by clients running FortiClient Endpoint Security. Enter the Secret key. Be sure to use the same secret key in the FortiClient Single Sign-On Mobility Agent settings.
  1. Select OK.

For more information, see the FortiAuthenticator Administration Guide.

134       FortiOS™ Handbook – Authentication Fortinet Technologies Inc.

Configuring the FortiGate unit

Adding a FortiAuthenticator unit as an SSO agent

On the FortiGate unit, you need to add the FortiAuthenticator unit as a Single Sign-On agent that provides user logon information.

To add a FortiAuthenticator unit as an SSO agent:

  1. Go to Security Fabric > Fabric Connectors and select Create New.
  2. Under SSO/Identity, select Fortinet Single Sign-On Agent.
  3. Enter a Name for the FortiAuthenticator unit (in the example, FAC).
  4. In Primary FSSO Agent, enter the IP address of the FortiAuthenticator unit and password.

On the FortiAuthenticator unit, go to Fortinet SSO Methods > SSO > General to define the secret key. Select Enable Authentication.

  1. Keep Collector Agent AD access mode set to Standard, and select OK.

The entry is shown in the SSO/Identity server list, with a green arrow indicating a successful connection. Select the plus-symbol to view the list of user groups that the FortiGate has received from the FortiAuthenticator.

When you open the server, you can see the list of groups. You can use the groups in identity-based security policies.

Configuring an FSSO user group

You cannot use FortiAuthenticator SSO user groups directly in a security policy. Create an FSSO user group and add FortiAuthenticator SSO user groups to it. FortiGate FSSO user groups are available for selection in identitybased security policies.

To create an FSSO user group:

  1. Go to User & Device > User Groups and select Create New.
  2. Enter a Name for the group.
  3. In Type, select Fortinet Single Sign-On (FSSO).
  4. Add Members.

The groups available to add as members are SSO groups provided by SSO agents.

  1. Select OK.

Configuring security policies

You can create identity-based policies based on FSSO groups as you do for local user groups. For more information about security policies see the Firewall chapter.

Configuring the FortiClient SSO Mobility Agent

The user’s device must have at least FortiClient Endpoint Security v5.0 installed. Only two pieces of information are required to set up the SSO Mobility Agent feature: the FortiAuthenticator unit IP address and the pre-shared secret.

The user needs to know the FortiAuthenticator IP address and pre-shared secret to set up the SSO Mobility Agent. Or, you could preconfigure FortiClient.

To configure FortiClient SSO Mobility Agent:

  1. In FortiClient Endpoint Security, go to File > Settings.

You must run the FortiClient application as an administrator to access these settings.

  1. Select Enable single sign-on mobility agent. Enter the FortiAuthenticator unit IP address, including the listening port number specified on the FortiAuthenticator unit.

Example: 192.168.0.99:8001. You can omit the port number if it is 8005.

  1. Enter the pre-shared key.
  2. Select OK.

Viewing SSO authentication events on the FortiGate unit

User authentication events are logged in the FortiGate event log.

Go to Log & Report > System Events.

 

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Support for per-VDOM certificates

Support for per-VDOM certificates

The CA and local certificate configuration is available per-VDOM. When an admin uploads a certificate to a VDOM, it will only be accessible inside that VDOM. When an admin uploads a certificate to global, it will be accessible to all VDOMs and global.

There are factory default certificates such as Fortinet_CA_SSL, Fortinet_SSL, Fortinet_Wifi, and Fortinet_

Factory. These certificates are moved to per-VDOM and automatically generated when a new VDOM is created.

CLI changes

Two new attributes range and source have been added:

range can be global or per-VDOM, if the certificate file is imported from global, it is a global certificate. If the certificate file is imported from a VDOM, it is VDOM certificate. source can be either factory, user, or fortiguard:

  • factory: The factory certificate file with FortiOS version, this includes: Fortinet_CA_SSL, Fortinet_SSL, PositiveSSL_CA, Fortinet_Wifi, Fortinet_Factory.
  • user: Certificate file imported by the user.
  • fortiguard: Certificate file imported from FortiGuard.

config certificate local edit Fortinet_Factory set range {global | vdom} set source {factory | user | fortiguard}

end

end

GUI changes

Global and new VDOMs have the following factory default certificates:

These certificates are created automatically when a new VDOM is created, with every VDOM having its own versions of these certificates.

Example — Generate a CSR on the FortiGate unit

This example follows all the steps required to create and install a local certificate on the FortiGate unit, without using CA software.

Example — Generate and Import CA certificate with private key pair on

The FortiGate unit is called myFortiGate60, and is located at 10.11.101.101 (a private IP address) and http://myfortigate.example.com. Mr. John Smith (john.smith@myfortigate.example.com) is the IT administrator for this FortiGate unit, and the unit belongs to the Sales department located in Greenwich, London, England.

To generate a certificate request on the FortiGate unit – web-based manager:

  1. Go to System > Certificates.
  2. Select Generate.
  3. In the Certificate Name field, enter myFortiGate60.

Since the IP address is private, we will use the FQDN instead.

  1. Select Domain Name, and enter http://myfortigate.example.com.
  2. Enter values in the Optional Information area to further identify the FortiGate unit.
Organization Unit Sales
Organization Example.com
Locality (City) Greenwich
State/Province London
Country England
e-mail john.smith@myfortigate.example.com
  1. From the Key Type list, select RSA or Elliptic Curve.
  2. If RSA is selected, set Key Size to 2048 Bit. If Elliptic Curve is selected, set Curve Name to secp256r1. In Enrollment Method, select File Based to generate the certificate request
  3. Select OK.

The request is generated and displayed in the Local Certificates list with a status of PENDING.

  1. Select the Download button to download the request to the management computer.
  2. In the File Download dialog box, select Save and save the Certificate Signing Request on the local file system of the management computer.
  3. Name the file and save it on the local file system of the management computer.

Example — Generate and Import CA certificate with private key pair on OpenSSL

This example explains how to generate a certificate using OpenSSL on MS Windows. OpenSSL is available for Linux and Mac OS as well, however their terminology will vary slightly from what is presented here.

and Import CA certificate with private key pair on OpenSSL

Assumptions

Before starting this procedure, ensure that you have downloaded and installed OpenSSL on Windows. One source is: http://www.slproweb.com/products/Win32OpenSSL.html.

Generating and importing the CA certificate and private key

The two following procedures will generate a CA certificate file and private key file, and then import it to the FortiGate unit as a local certificate.

To generate the private key and certificate

  1. At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the command:

cd c:\OpenSSL-Win32\bin

  1. Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase. Choose something easy to remember such as fortinet123.

openssl genrsa -aes256 -out fgtcapriv.key 2048

This command generates an RSA AES256 2048-bit encryption key.

  1. The following command will generate the certificate using the key from the previous step.

openssl req -new -x509 -days 3650 -extensions v3_ca -key fgtcapriv.key -out fgtca.crt

This step generates an X509 CA certificate good for 10 years that uses the key generated in the previous step. The certificate filename is fgtca.crt.

You will be prompted to enter information such as PEM Pass Phrase from the previous step, Country Name, State, Organization Name, Organizational Unit (such as department name), Common Name (the FQDN), and Email Address.

To import the certificate to the FortiGate unit – web-based manager:

  1. Go to System > Certificates.
  2. Select Import > Local Certificate.
  3. Select Certificate for Type.

Fields for Certificate file, Key file, and Password are displayed.

  1. For Certificate file, enter c:\OpenSSL-Win32\bin\fgtca.crt.
  2. For Key file, enter c:\OpenSSL-Win32\bin\fgtcapriv.key.
  3. For Password, enter the PEM Pass Phrase you entered earlier, such as fortinet123.
  4. Select OK.

The Certificate will be added to the list of Local Certificates and be ready for use. It will appear in the list as the filename you uploaded — fgtca.You can add comments to this certificate to make it clear where its from and how it is intended to be used. If you download the certificate from FortiOS, it is a .CER file.

Example — Generate an SSL certificate in

It can now be used in Authenticating IPsec VPN users with security certificates on page 126, and Authenticating SSL VPN users with security certificates on page 125.

Example — Generate an SSL certificate in OpenSSL

This example explains how to generate a CA signed SSL certificate using OpenSSL on MS Windows. OpenSSL is available for Linux and Mac OS as well, however their terminology will vary slightly from what is presented here.

In this example, you will:

l Generate a CA signed SSL certificate l Generate a self-signed SSL certificate l Import the SSL certificate into FortiOS

Assumptions

l Before starting this procedure, ensure that you have downloaded and installed OpenSSL on MS Windows. One download source is http://www.slproweb.com/products/Win32OpenSSL.html.

Generating a CA signed SSL certificate

This procedure assumes that you have already completed Example — Generate and Import CA certificate with private key pair on OpenSSL on page 128 successfully.

To generate the CA signed SSL certificate:

  1. At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the following command:

cd c:\OpenSSL-Win32\bin

  1. Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase. Choose something easy to remember such as fortinet.

openssl genrsa -aes256 -out fgtssl.key 2048

This command generates an RSA AES256 2048-bit encryption key.

  1. Create a certificate signing request for the SSL certificate. This step requires you to enter the information listed in step 3 of the previous example — To generate the private key and certificate. You can leave the Challenge Password blank.

openssl req -new -sha256 -key fgtssl.key -out fgtssl.csr

Most Certificate Authorities will ignore the value that is set in the CSR and use whatever value they are set to use in their configuration. This means that the client will likely need to modify their openssl.conf file to use SHA-256 (or another SHA-2 variant). an SSL certificate in OpenSSL

  1. Using the CSR from the previous step, you can now create the SSL certificate using the CA certificate that was created in Example — Generate and Import CA certificate with private key pair on OpenSSL.

openssl x509 -req -days 365 -in fgtssl.csr -CA fgtca.crt -CAkey fgtcapriv.key -set_ serial 01 -out fgtssl.crt

This will generate an X.509 certificate good for 365 days signed by the CA certificate fgtca.crt.

Generating a self-signed SSL certificate

This procedures does not require any existing certificates.

  1. At the Windows command prompt, go to the OpenSSL bin directory. If you installed to the default location this will be the following command:

cd c:\OpenSSL-Win32\bin

  1. Enter the following command to generate the private key. You will be prompted to enter your PEM pass phrase. Choose something easy to remember such as fortinet.

openssl genrsa -aes256 -out fgtssl.key 2048 openssl req -new -key fgtssl.key -out fgtssl.csr openssl x509 -req -days 365 -in fgtssl.csr -signkey fgtssl.key -out fgtssl.crt

These commands:

l generate an RSA AES256 2048-bit private key, l generate an SSL certificate signing request, and l sign the CSR to generate an SSL .CRT certificate file.

Import the SSL certificate into FortiOS

To import the certificate to FortiOS- web-based manager

  1. Go to System > Certificates.
  2. Select Import > Local Certificate.
  3. Select Certificate for Type.

Fields for Certificate file, Key file, and Password are displayed.

  1. For Certificate file, enter c:\OpenSSL-Win32\bin\fgtssl.crt.
  2. For Key file, enter c:\OpenSSL-Win32\bin\fgtssl.key.
  3. For Password, enter the PEM Pass Phrase you entered, such as fortinet.
  4. Select OK.

The SSL certificate you just uploaded can be found under System > Certificates under the name of the file you uploaded — fgtssl.

To confirm the certificate is uploaded properly – CLI:

config vpn certificate local edit fgtssl get

Example — Generate an SSL certificate in

end

The get command will display all the certificate’s information. If it is not there or the information is not correct, you will need to remove the corrupted certificate (if it is there) and upload it again from your PC.

To use the new SSL certificate – CLI

config vpn ssl settings set servercert fgtssl

end

This assigns the fgtssl certificate as the SSL server certificate. For more information see the FortiOS Handbook SSL VPN guide.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Authenticating IPsec VPN users with security certificates

Authenticating IPsec VPN users with security certificates

To require VPN peers to authenticate by means of a certificate, the FortiGate unit must offer a certificate to authenticate itself to the peer.

To enable the FortiGate unit to authenticate itself with a certificate:

  1. Install a signed server certificate on the FortiGate unit.

See To install or import the signed server certificate – web-based manager on page 118.

  1. Install the corresponding CA root certificate on the remote peer or client. If the remote peer is a FortiGate unit, see To install a CA root certificate on page 119.
  2. Install the certificate revocation list (CRL) from the issuing CA on the remote peer or client. If the remote peer is a FortiGate unit, see To import a certificate revocation list on page 119.
  3. In the VPN phase 1 configuration, set Authentication Method to Signature and from the Certificate Name list select the certificate that you installed in Step 1.

To authenticate a VPN peer using a certificate, you must install a signed server certificate on the peer. Then, on the FortiGate unit, the configuration depends on whether there is only one VPN peer or if this is a dialup VPN that can be multiple peers.

To configure certificate authentication of a single peer

  1. Install the CA root certificate and CRL.
  2. Create a PKI user to represent the peer. Specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.
  3. In the VPN phase 1 Peer Options, select peer certificate for Accept Types field and select the PKI user that you created in the Peer certificate

To configure certificate authentication of multiple peers (dialup VPN)

  1. Install the corresponding CA root certificate and CRL.
  2. Create a PKI user for each remote VPN peer. For each user, specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.
  3. Use the config user peergrp CLI command to create a peer user group. Add to this group all of the PKI users who will use the IPsec VPN.

In the VPN phase 1 Peer Options, select peer certificate group for Accept Types field and select the PKI user group that you created in the Peer certificate group field.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Authenticating SSL VPN users with security certificates

Authenticating SSL VPN users with security certificates

While the default self-signed certificates can be used for HTTPS connections, it is preferable to use the X.509 server certificate to avoid the redirection as it can be misinterpreted as possible session hijacking. However, the server certificate method is more complex than self-signed security certificates. Also the warning message is typically displayed for the initial connection, and future connections will not generate these messages.

X.509 certificates can be used to authenticate IPsec VPN peers or clients, or SSL VPN clients. When configured to authenticate a VPN peer or client, the FortiGate unit prompts the VPN peer or client to authenticate itself using the X.509 certificate. The certificate supplied by the VPN peer or client must be verifiable using the root CA certificate installed on the FortiGate unit in order for a VPN tunnel to be established.

To enable certificate authentication for an SSL VPN user group:

  1. Install a signed server certificate on the FortiGate unit and install the corresponding root certificate (and CRL) from the issuing CA on the remote peer or client.
  2. Obtain a signed group certificate from a CA and load the signed group certificate into the web browser used by each user. Follow the browser documentation to load the certificates.
  3. Install the root certificate and the CRL from the issuing CA on the FortiGate unit (see Installing a CA root certificate and CRL to authenticate remote clients on page 118).
  4. Create a PKI user for each SSL VPN user. For each user, specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.
  5. Use the config user peergrp CLI command to create a peer user group. Add to this group all of the SSL VPN users who are authenticated by certificate.
  6. Go to Policy & Objects > IPv4 Policy.
  7. Edit the SSL-VPN security policy.
  8. Select the user group created earlier in the Source User(s)
  9. Select OK.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Authenticating administrators with security certificates

Authenticating administrators with security certificates

You can install a certificate on the management computer to support strong authentication for administrators. When a personal certificate is installed on the management computer, the FortiGate unit processes the certificate after the administrator supplies a username and password.

To enable strong administrative authentication:

  • Obtain a signed personal certificate for the administrator from a CA and load the signed personal certificate into the web browser on the management computer according to the browser documentation.
  • Install the root certificate and the CRL from the issuing CA on the FortiGate unit (see Installing a CA root certificate and CRL to authenticate remote clients on page 118 ).
  • Create a PKI user account for the administrator. l Add the PKI user account to a firewall user group dedicated to PKI-authenticated administrators.

Configuring certificate-based authentication

  • In the administrator account configuration, select PKI as the account Type and select the User Group to which the administrator belongs.

Support exact match for subject and CN fields in peer user

In order to avoid any unintentional admin access by regular users, administrators can specify which way a peer user authenticates.

When searching for a matching certificate, use the commands below to control how to find matches in the certificate subject name (subject-match) or the cn attribute (cn-match) of the certificate subject name. This match can be any string (substring) or an exact match (value) of the cn attribute value.

To determine certificate subject name matches – CLI:

config vpn certificate setting edit <name> set subject-match {substring | value} set cn-match {substring | value}

next

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring certificate-based authentication

Configuring certificate-based authentication

You can configure certificate-based authentication for FortiGate administrators, SSL VPN users, and IPsec VPN users.

In Microsoft Windows 7, you can use the certificate manager to keep track of all the different certificates on your local computer. To access certificate manager, in Windows 7 press the Windows key, enter “certmgr.msc” at the search prompt, and select the displayed match. Remember that in addition to these system certificates, many applications require you to register certificates with them directly.

To see FortiClient certificates, open the FortiClient Console, and select VPN. The VPN menu has options for My Certificates (local or client) and CA Certificates (root or intermediary certificate authorities). Use Import on those screens to import certificate files from other sources.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Troubleshooting certificates

Troubleshooting certificates

There are times when there are problems with certificates — a certificate is seen as expired when its not, or it can’t be found. Often the problem is with a third party web site, and not FortiOS. However, some problems can be traced back to FortiOS such as DNS or routing issues.

Enable and disable SHA1 algorithm in SSH key exchanges

In order to investigate your security and conduct compliance testing, a global option allows you to enable/disable SHA1 algorithm in SSH key exchange. Note that, the algorithm is enabled by default.

Syntax

config system global set ssh-key-sha1 {enable | disable}

end

Certificate incorrectly reported as expired

Certificates often are issued for a set period of time such as a day or a month, depending on their intended use. This ensures everyone is using up-to-date certificates. It is also more difficult for hackers to steal and use old certificates.

Reasons a certificate may be reported as expired include:

  • It really has expired based on the “best before” date in the certificate l The FortiGate unit clock is not properly set. If the FortiGate clock is fast, it will see a certificate as expired before the expiry date is really here.
  • The requesting server clock is not properly set. A valid example is if your certificate is 2 hours from expiring, a server more than two time zones away would see the certificate as expired. Otherwise, if the server’s clock is set wrongly it will also have the same effect.

Troubleshooting

  • The certificate was revoked by the issuer before the expiry date. This may happen if the issuer believes a certificate was either stolen or misused. Its possible it is due to reasons on the issuer’s side, such as a system change or such. In either case it is best to contact the certificate issuer to determine what is happening and why.

A secure connection cannot be completed (certificate cannot be found)

Everyone who uses a browser has encountered a message such as This connection is untrusted. Normally when you try to connect securely to a web site, that web site will present its valid certificate to prove their identity is valid. When the web site’s certificate cannot be verified as valid, the message appears stating This connection is untrusted or something similar. If you usually connect to this web site without problems, this error could mean that someone is trying to impersonate or hijack the web site, and best practices dictates you not continue.

Reasons a web site’s certificate cannot be validated include:

  • The web site uses an unrecognized self-signed certificate. These are not secure because anyone can sign them. If you accept self-signed certificates you do so at your own risk. Best practices dictate that you must confirm the ID of the web site using some other method before you accept the certificate.
  • The certificate is valid for a different domain. A certificate is valid for a specific location, domain, or sub-section of a domain such as one certificate for example.com that is not valid for marketing.example.com. If you encounter this problem, contact the webmaster for the web site to inform them of the problem.
  • There is a DNS or routing problem. If the web site’s certificate cannot be verified, it will not be accepted. Generally to be verified, your system checks with the third party certificate signing authority to verify the certificate is valid. If you cannot reach that third party due to some DNS or routing error, the certificate will not be verified.
  • Firewall is blocking required ports. Ensure that any firewalls between the requesting computer and the web site allow the secure traffic through the firewall. Otherwise a hole must be opened to allow it through. This includes ports such as 443 (HTTPS) and 22 (SSH).

Online updates to certificates and CRLs

If you obtained your local or CA certificate using SCEP, you can configure online renewal of the certificate before it expires. Similarly, you can receive online updates to CRLs.

Local certificates

In the config vpn certificate local command, you can specify automatic certificate renewal. The relevant fields are:

scep-url <URL_str> The URL of the SCEP server. This can be HTTP or HTTPS. The following options appear after you add the <URL_str>.
scep-password <password_str> The password for the SCEP server.
auto-regenerate-days <days_ int> How many days before expiry the FortiGate unit requests an updated local certificate. The default is 0, no auto-update.
auto-regenerate-days-warning <days_int> How many days before local certificate expiry the FortiGate generates a warning message. The default is 0, no warning.

In this example, an updated certificate is requested three days before it expires.

config vpn certificate local edit mycert

Troubleshooting

set scep-url http://scep.example.com/scep set scep-server-password my_pass_123 set auto-regenerate-days 3 set auto-regenerate-days-warning 2

end

CA certificates

In the config vpn certificate ca command, you can specify automatic certificate renewal. The relevant fields are:

Variable                                                 Description
scep-url <URL_str>              The URL of the SCEP server. This can be HTTP or HTTPS.
How many days before expiry the FortiGate unit requests an auto-update-days <days_int> updated CA certificate. The default is 0, no auto-update.
auto-update-days-warning        How many days before CA certificate expiry the FortiGate

<days_int>                     generates a warning message. The default is 0,no warning.

In this example, an updated certificate is requested three days before it expires.

config vpn certificate ca edit mycert set scep-url http://scep.example.com/scep set auto-update-days 3 set auto-update-days-warning 2

end

Certificate revocation lists

If you obtained your CRL using SCEP, you can configure online updates to the CRL using the config vpn certificate crl command. The relevant fields are:

Variable Description
http-url <http_url> URL of the server used for automatic CRL certificate updates. This can be HTTP or HTTPS.
scep-cert <scep_certificate> Local certificate used for SCEP communication for CRL autoupdate.
scep-url <scep_url> URL of the SCEP CA server used for automatic CRL certificate updates. This can be HTTP or HTTPS.
update-interval <seconds> How frequently, in seconds, the FortiGate unit checks for an updated CRL. Enter 0 to update the CRL only when it expires.

Not available for http URLs.

update-vdom <update_vdom> VDOM used to communicate with remote SCEP server for CRL auto-update.

In this example, an updated CRL is requested only when it expires.

Troubleshooting

config vpn certificate crl edit cert_crl set http-url http://scep.example.com/scep set scep-cert my-scep-cert

set scep-url http://scep.ca.example.com/scep set update-interval 0 set update-vdom root

end

Backing up and restoring local certificates

The FortiGate unit provides a way to export and import a server certificate and the FortiGate unit’s personal key through the CLI. If required (to restore the FortiGate unit configuration), you can import the exported file through the System > Certificates page of the web-based manager.

As an alternative, you can back up and restore the entire FortiGate configuration through the System Information widget on the Dashboard of the web-based manager. Look for [Backup] and [Restore] in the System Configuration row. The backup file is created in a FortiGate-proprietary format.

To export a server certificate and private key – CLI:

This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible to the FortiGate unit before you enter the command.

  1. Connect to the FortiGate unit through the CLI.
  2. Type the following command:

execute vpn certificate local export tftp <cert_name> <exp_filename> <tftp_ip>

<password>

where:

l <cert_name> is the name of the server certificate; typing ? displays a list of installed server certificates. l <exp_filename> is a name for the output file. l <tftp_ip> is the IP address assigned to the TFTP server host interface.

  1. Move the output file from the TFTP server location to the management computer for future reference.

To import a server certificate and private key – web-based manager:

  1. Go to System > Certificates and select Import.
  2. In Type, select PKCS12 Certificate.
  3. Select Browse. Browse to the location on the management computer where the exported file has been saved, select the file, and then select Open.
  4. In the Password field, type the password needed to upload the exported file.
  5. Select OK, and then select Return.

To import a server certificate and private key – CLI:

  1. Connect to the FortiGate unit through the CLI.
  2. Type the following command:

 

Configuring certificate-based authentication

execute vpn certificate local import tftp <file_name> <tftp_ip_address> <file_type> <Enter for ‘cer’>|<password for ‘p12’> For example:

execute vpn certificate local import tftp FGTF-extern.p12 10.1.100.253 p12 123456

To import separate server certificate and private key files – web-based manager

Use the following procedure to import a server certificate and the associated private key file when the server certificate request and private key were not generated by the FortiGate unit. The two files to import must be available on the management computer.

  1. Go to System > Certificates and select Import.
  2. In Type, select Certificate.
  3. Select the Browse button beside the Certificate file Browse to the location on the management computer where the certificate file has been saved, select the file, and then select Open.
  4. Select the Browse button beside the Key file Browse to the location on the management computer where the key file has been saved, select the file, and then select Open.
  5. If required, in the Password field, type the associated password, and then select OK.
  6. Select Return.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!