Single Sign-On using a FortiAuthenticator unit

If you use a FortiAuthenticator unit in your network as a single sign-on agent,

Users can authenticate through a web portal on the FortiAuthenticator unit.
Users with FortiClient Endpoint Security installed can be automatically authenticated by the FortiAuthenticator unit through the FortiClient SSO Mobility Agent.

The FortiAuthenticator unit can integrate with external network authentication systems such as RADIUS and LDAP to gather user logon information and send it to the FortiGate unit.

User’s view of FortiAuthenticator SSO authentication

There are two different ways users can authenticate through a FortiAuthenticator unit.

Users without FortiClient Endpoint Security – SSO widget

To log onto the network, the user accesses the organization’s web page with a web browser. Embedded on that page is a simple logon widget, like this:

User not logged in. Click Login to go to the FortiAuthenticator login page.

User logged in. Name displayed. Logout button available.

The SSO widget sets a cookie on the user’s browser. When the user browses to a page containing the login widget, the FortiAuthenticator unit recognizes the user and updates its database if the user’s IP address has changed. The user will not need to re-authenticate until the login timeout expires, which can be up to 30 days.

Users with FortiClient Endpoint Security – FortiClient SSO Mobility Agent

The user simply accesses resources and all authentication is performed transparently with no request for credentials. IP address changes, such as those due to WiFi roaming, are automatically sent to the FortiAuthenticator unit. When the user logs off or otherwise disconnects from the network, the FortiAuthenticator unit is aware of this and deauthenticates the user.

The FortiClient SSO Mobility Agent, a feature of FortiClient Endpoint Security v5.0, must be configured to communicate with the appropriate FortiAuthenticator unit. After that, the agent automatically provides user name and IP address information to the FortiAuthenticator unit for transparent authentication.

Administrator’s view of FortiAuthenticator SSO authentication

You can configure either or both of these authentication types on your network.

SSO widget

You need to configure the Single Sign-On portal on the FortiAuthenticator unit. Go to Fortinet SSO Methods > SSO > Portal Services to do this. Copy the Embeddable login widget code for use on your organization’s home page. Identity-based security policies on the FortiGate unit determine which users or groups of users can access which network resources.

FortiClient SSO Mobility Agent

Your users must be running at least FortiClient Endpoint Security v5.0 to make use of this type of authentication. On the FortiAuthenticator unit, you need to select Enable FortiClient SSO Mobility Agent Service, optionally

select Enable Authentication and choose a Secret key. Go to Fortinet SSO Methods > SSO > General. You need to provide your users the FortiAuthenticator IP address and secret key so that they can configure the FortiClient SSO Mobility Agent on their computers. See Configuring the FortiGate unit on page 542.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring certificate-based authentication

4 Replies

Configuring certificate-based authentication

You can configure certificate-based authentication for FortiGate administrators, SSL VPN users, and IPsec VPN users.

In Microsoft Windows 7, you can use the certificate manager to keep track of all the different certificates on your local computer. To access certificate manager, in Windows 7 press the Windows key, enter “certmgr.msc” at the search prompt, and select the displayed match. Remember that in addition to these system certificates, many applications require you to register certificates with them directly.

To see FortiClient certificates, open the FortiClient Console, and select VPN. The VPN menu has options for My Certificates (local or client) and CA Certificates (root or intermediary certificate authorities). Use Import on those screens to import certificate files from other sources.

Authenticating administrators with security certificates

You can install a certificate on the management computer to support strong authentication for administrators. When a personal certificate is installed on the management computer, the FortiGate unit processes the certificate after the administrator supplies a username and password.

To enable strong administrative authentication:

Obtain a signed personal certificate for the administrator from a CA and load the signed personal certificate into the web browser on the management computer according to the browser documentation.
Install the root certificate and the CRL from the issuing CA on the FortiGate unit (see Installing a CA root certificate and CRL to authenticate remote clients on page 529 ).
Create a PKI user account for the administrator.
Add the PKI user account to a firewall user group dedicated to PKI-authenticated administrators.
In the administrator account configuration, select PKI as the account Type and select the User Group to which the administrator belongs.

Authenticating SSL VPN users with security certificates

While the default self-signed certificates can be used for HTTPS connections, it is preferable to use the X.509 server certificate to avoid the redirection as it can be misinterpreted as possible session hijacking. However, the server certificate method is more complex than self-signed security certificates. Also the warning message is typically displayed for the initial connection, and future connections will not generate these messages.

X.509 certificates can be used to authenticate IPsec VPN peers or clients, or SSL VPN clients. When configured to authenticate a VPN peer or client, the FortiGate unit prompts the VPN peer or client to authenticate itself using the X.509 certificate. The certificate supplied by the VPN peer or client must be verifiable using the root CA certificate installed on the FortiGate unit in order for a VPN tunnel to be established.

To enable certificate authentication for an SSL VPN user group:

1. Install a signed server certificate on the FortiGate unit and install the corresponding root certificate (and CRL) from the issuing CA on the remote peer or client.

2. Obtain a signed group certificate from a CA and load the signed group certificate into the web browser used by each user. Follow the browser documentation to load the certificates.

3. Install the root certificate and the CRL from the issuing CA on the FortiGate unit (see Installing a CA root certificate and CRL to authenticate remote clients on page 529).

4. Create a PKI user for each SSL VPN user. For each user, specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.

5. Use the config user peergrp CLI command to create a peer user group. Add to this group all of the SSL VPN users who are authenticated by certificate.

6. Go to Policy & Objects > Policy > IPv4.

7. Edit the SSL-VPN security policy.

8. Select the user group created earlier in the Source User(s) field.

9. Select OK.

Authenticating IPsec VPN users with security certificates

To require VPN peers to authenticate by means of a certificate, the FortiGate unit must offer a certificate to authenticate itself to the peer.

To enable the FortiGate unit to authenticate itself with a certificate:

1. Install a signed server certificate on the FortiGate unit.

See To install or import the signed server certificate – web-based manager on page 529.

2. Install the corresponding CA root certificate on the remote peer or client. If the remote peer is a FortiGate unit, see To install a CA root certificate on page 529.

3. Install the certificate revocation list (CRL) from the issuing CA on the remote peer or client. If the remote peer is a

FortiGate unit, see To import a certificate revocation list on page 529.

4. In the VPN phase 1 configuration, set Authentication Method to Signature and from the Certificate Name list select the certificate that you installed in Step 1.

To authenticate a VPN peer using a certificate, you must install a signed server certificate on the peer. Then, on the FortiGate unit, the configuration depends on whether there is only one VPN peer or if this is a dialup VPN that can be multiple peers.

To configure certificate authentication of a single peer

1. Install the CA root certificate and CRL.

2. Create a PKI user to represent the peer. Specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.

3. In the VPN phase 1 Peer Options, select peer certificate for Accept Types field and select the PKI user that you created in the Peer certificate field.

To configure certificate authentication of multiple peers (dialup VPN)

1. Install the corresponding CA root certificate and CRL.

2. Create a PKI user for each remote VPN peer. For each user, specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.

3. Use the config user peergrp CLI command to create a peer user group. Add to this group all of the PKI

users who will use the IPsec VPN.

In the VPN phase 1 Peer Options, select peer certificate group for Accept Types field and select the PKI

user group that you created in the Peer certificate group field.

Pages: 1 2

Online updates to certificates and CRLs

15 Replies

Online updates to certificates and CRLs

If you obtained your local or CA certificate using SCEP, you can configure online renewal of the certificate before it expires. Similarly, you can receive online updates to CRLs.

Local certificates

In the config vpn certificate local command, you can specify automatic certificate renewal. The relevant fields are:

scep-url <URL_str> The URL of the SCEP server. This can be HTTP or HTTPS. The following options appear after you add the <URL_str>.

scep-password <password_str> The password for the SCEP server.

auto-regenerate-days <days_

int>

How many days before expiry the FortiGate unit requests an updated local certificate. The default is 0, no auto-update.

auto-regenerate-days-warning

<days_int>

How many days before local certificate expiry the FortiGate gen- erates a warning message. The default is 0, no warning.

In this example, an updated certificate is requested three days before it expires.

config vpn certificate local edit mycert

set scep-url http://scep.example.com/scep set scep-server-password my_pass_123

set auto-regenerate-days 3

set auto-regenerate-days-warning 2 end

CA certificates

In the config vpn certificate ca command, you can specify automatic certificate renewal. The relevant fields are:

Variable Description

scep-url <URL_str> The URL of the SCEP server. This can be HTTP or HTTPS.

Variable Description

auto-update-days <days_int> How many days before expiry the FortiGate unit requests an updated CA certificate. The default is 0, no auto-update.

auto-update-days-warning

<days_int>

How many days before CA certificate expiry the FortiGate gen- erates a warning message. The default is 0,no warning.

In this example, an updated certificate is requested three days before it expires.

config vpn certificate ca edit mycert

set scep-url http://scep.example.com/scep set auto-update-days 3

set auto-update-days-warning 2 end

Certificate Revocation Lists

If you obtained your CRL using SCEP, you can configure online updates to the CRL using the config vpn certificate crl command. The relevant fields are:

Variable Description

http-url <http_url> URL of the server used for automatic CRL certificate updates.

This can be HTTP or HTTPS.

scep-cert <scep_certificate> Local certificate used for SCEP communication for CRL auto- update.

scep-url <scep_url> URL of the SCEP CA server used for automatic CRL certificate updates. This can be HTTP or HTTPS.

update-interval <seconds>

How frequently, in seconds, the FortiGate unit checks for an updated CRL. Enter 0 to update the CRL only when it expires. Not available for http URLs.

update-vdom <update_vdom> VDOM used to communicate with remote SCEP server for CRL

auto-update.

In this example, an updated CRL is requested only when it expires.

config vpn certificate crl edit cert_crl

set http-url http://scep.example.com/scep set scep-cert my-scep-cert

set scep-url http://scep.ca.example.com/scep set update-interval 0

set update-vdom root end

Pages: 1 2

Late Night Vulnerability Scare

Leave a reply

About to head to bed but figured I would pass this little tid bit on. Fortinet devices (FortiAnalyzer and FortiManager) are affected by PSIRT ID: 1624489. This information is thanks to Mr. Nifty on the Fortinet Reddit.

The information he was able to pull from Fortinet is as follows:

Only affects FAZ and FMG systems. Patched in 5.0.12, 5.2.6 and 5.4.1 (still not released). No work-arounds. Medium threat level (3.7), client-side XSS vulnerability in their CSS code.

Public disclosure has not happened because they are still confirming affected code, working on releasing latest 5.4.1, and apparently it may overlap with other PSIRT cases. So FortiNet is still researching it basically.

So, if you wanted to be nervous about your Fortinet hardware right before heading to bed then go ahead. I’m probably about to drink a beer and pass out myself. Click Here To Read The Reddit Post

Troubleshooting certificates

Leave a reply

Troubleshooting certificates

There are times when there are problems with certificates — a certificate is seen as expired when its not, or it can’t be found. Often the problem is with a third party web site, and not FortiOS. However, some problems can be traced back to FortiOS such as DNS or routing issues.

Certificate is reported as expired when it is not

Certificates often are issued for a set period of time such as a day or a month, depending on their intended use. This ensures everyone is using up-to-date certificates. It is also more difficult for hackers to steal and use old certificates.

Reasons a certificate may be reported as expired include:

It really has expired based on the “best before” date in the certificate
The FortiGate unit clock is not properly set. If the FortiGate clock is fast, it will see a certificate as expired before the expiry date is really here.
The requesting server clock is not properly set. A valid example is if your certificate is 2 hours from expiring, a server more than two time zones away would see the certificate as expired. Otherwise, if the server’s clock is set wrongly it will also have the same effect.
The certificate was revoked by the issuer before the expiry date. This may happen if the issuer believes a certificate was either stolen or misused. Its possible it is due to reasons on the issuer’s side, such as a system change or such. In either case it is best to contact the certificate issuer to determine what is happening and why.

A secure connection cannot be completed (Certificate cannot be found)

Everyone who uses a browser has encountered a message such as This connection is untrusted. Normally when you try to connect securely to a web site, that web site will present its valid certificate to prove their identity is valid. When the web site’s certificate cannot be verified as valid, the message appears stating This connection is untrusted or something similar. If you usually connect to this web site without problems, this error could mean that someone is trying to impersonate or hijack the web site, and best practices dictates you not continue.

Reasons a web site’s certificate cannot be validated include:

The web site uses an unrecognized self-signed certificate. These are not secure because anyone can sign them. If you accept self-signed certificates you do so at your own risk. Best practices dictate that you must confirm the ID of the web site using some other method before you accept the certificate.
The certificate is valid for a different domain. A certificate is valid for a specific location, domain, or sub-section of a domain such as one certificate for support.example.com that is not valid for marketing.example.com. If you encounter this problem, contact the webmaster for the web site to inform them of the problem.
There is a DNS or routing problem. If the web site’s certificate cannot be verified, it will not be accepted. Generally to be verified, your system checks with the third party certificate signing authority to verify the certificate is valid. If you cannot reach that third party due to some DNS or routing error, the certificate will not be verified.
Firewall is blocking required ports. Ensure that any firewalls between the requesting computer and the web site allow the secure traffic through the firewall. Otherwise a hole must be opened to allow it through. This includes ports such as 443 (HTTPS) and 22 (SSH).

Installing a CA root certificate and CRL to authenticate remote clients

1 Reply

Installing a CA root certificate and CRL to authenticate remote clients

When you apply for a signed personal or group certificate to install on remote clients, you can obtain the corresponding root certificate and CRL from the issuing CA. When you receive the signed personal or group certificate, install the signed certificate on the remote client(s) according to the browser documentation. Install the corresponding root certificate (and CRL) from the issuing CA on the FortiGate unit according to the procedures given below.

To install a CA root certificate

1. After you download the root certificate of the CA, save the certificate on the management computer. Or, you can use online SCEP to retrieve the certificate.

2. On the FortiGate unit, go to System > Certificates > Import > CA Certificates.

3. Do one of the following:

To import using SCEP, select SCEP. Enter the URL of the SCEP server from which to retrieve the CA

certificate. Optionally, enter identifying information of the CA, such as the filename.

To import from a file, select Local PC, then select Browse and find the location on the management computer where the certificate has been saved. Select the certificate, and then select Open.

5. Select OK, and then select Return.

The system assigns a unique name to each CA certificate. The names are numbered consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).

To import a certificate revocation list

A Certificate Revocation List (CRL) is a list of the CA certificate subscribers paired with certificate status information. The list contains the revoked certificates and the reason(s) for revocation. It also records the certificate issue dates and the CAs that issued them.

When configured to support SSL VPNs, the FortiGate unit uses the CRL to ensure that the certificates belonging to the CA and remote peers or clients are valid. The CRL has an “effective date” and a “next update” date. The interval is typically 7 days (for Microsoft CA). FortiOS will update the CRL automatically. Also, there is a CLI command to specify an “update-interval” in seconds. Recommendation should be 24 hours (86400 seconds) but depends on company security policy.

1. After you download the CRL from the CA web site, save the CRL on the management computer.

2. Go to System > Certificates > Import > CRL.

3. Do one of the following:

To import using an HTTP server, select HTTP and enter the URL of the HTTP server.
To import using an LDAP server see this KB article.
To import using an SCEP server, select SCEP and select the Local Certificate from the list. Enter the URL of the SCEP server from which the CRL can be retrieved.
To import from a file, select Local PC, then select Browse and find the location on the management computer where the CRL has been saved. Select the CRL and then select Open.

5. Select OK, and then select Return.

Custom FortiAnalyzer Report To See Blocked URLs for a Category

2 Replies

Ian on Fortinet’s forums asked a good question. You can see the question below:

Hi

I want to create a report that allows me to select a category and then to list all the activity for users where the URLS match that category. For example a report that lists user name, source IP, date time, url for the “Explicit Violence” category.

I have had a look at the datasets but my SQL coding is not to good 🙁

Has anyone tried this or any tips on what I need to do.

Regards

Ian

This is an awesome question and would be an incredible report to have right? Well, CrisP replied with an incredible solution to this issue.

Hello Ian,
I hate unanswered questions on a forum like this…
So here you have my two pennies on this.

Create a new dataset using
==============================
select
from_dtime(dtime) as timestamp, user_src, catdesc, hostname as website,
action as status, sum(bandwidth) as bandwidth
from
###(
select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src,
dtime, catdesc, hostname, utmaction as action,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth
from $log-traffic
where $filter and
hostname is not null and
logid_to_int(logid) not in (4, 7, 14) and ((logver>=52 and countweb>0)
or
((logver is null) and utmevent in (‘webfilter’, ‘banned-word’, ‘web-content’,
‘command-block’, ‘script-filter’)))
group by user_src, dtime, catdesc, hostname, utmaction
order by dtime desc
)### t
group by user_src, dtime, catdesc, website, status
order by dtime desc
===================================
(slightly modified from default dataset called “web-Detailed-Website-Browsing-Log”)
then build a new chart using the dataset, and a report using that chart.

Use a filter specifying the categories you want to detail in the Advanced settings of the report.

Now, if you really need the URLs, the story becomes quite ugly. You could see the post called “URL field” in this forum.
Best regards and good luck

Obtaining and installing a signed server certificate from an external CA

Leave a reply

Obtaining and installing a signed server certificate from an external CA

To obtain a signed server certificate for a FortiGate unit, you must send a request to a CA that provides digital certificates that adhere to the X.509 standard. The FortiGate unit provides a way for you to generate the request.

To submit the certificate signing request (file-based enrollment):

1. Using the web browser on the management computer, browse to the CA web site.

2. Follow the CA instructions for a base-64 encoded PKCS#10 certificate request and upload your certificate request.

3. Follow the CA instructions to download their root certificate and CRL.

When you receive the signed server certificate from the CA, install the certificate on the FortiGate unit.

To install or import the signed server certificate – web-based manager

1. On the FortiGate unit, go to System > Certificates > Import > Local Certificates.

2. From Type, select Local Certificate.

3. Select Browse, browse to the location on the management computer where the certificate was saved, select the certificate, and then select Open.

4. Select OK, and then select Return.