Tag Archives: fortigate top sources

Troubleshooting certificates

Troubleshooting certificates

There are times when there are problems with certificates — a certificate is seen as expired when its not, or it can’t be found. Often the problem is with a third party web site, and not FortiOS. However, some problems can be traced back to FortiOS such as DNS or routing issues.

 

Certificate is reported as expired when it is not

Certificates often are issued for a set period of time such as a day or a month, depending on their intended use. This ensures everyone is using up-to-date certificates. It is also more difficult for hackers to steal and use old certificates.

Reasons a certificate may be reported as expired include:

  • It really has expired based on the “best before” date in the certificate
  • The FortiGate unit clock is not properly set. If the FortiGate clock is fast, it will see a certificate as expired before the expiry date is really here.
  • The requesting server clock is not properly set. A valid example is if your certificate is 2 hours from expiring, a server more than two time zones away would see the certificate as expired. Otherwise, if the server’s clock is set wrongly it will also have the same effect.
  • The certificate was revoked by the issuer before the expiry date. This may happen if the issuer believes a certificate was either stolen or misused. Its possible it is due to reasons on the issuer’s side, such as a system change or such. In either case it is best to contact the certificate issuer to determine what is happening and why.

 

A secure connection cannot be completed (Certificate cannot be found)

Everyone who uses a browser has encountered a message such as This connection is untrusted. Normally when you try to connect securely to a web site, that web site will present its valid certificate to prove their identity is valid. When the web site’s certificate cannot be verified as valid, the message appears stating This connection is untrusted or something similar. If you usually connect to this web site without problems, this error could mean that someone is trying to impersonate or hijack the web site, and best practices dictates you not continue.

 

Reasons a web site’s certificate cannot be validated include:

  • The web site uses an unrecognized self-signed certificate. These are not secure because anyone can sign them. If you accept self-signed certificates you do so at your own risk. Best practices dictate that you must confirm the ID of the web site using some other method before you accept the certificate.
  • The certificate is valid for a different domain. A certificate is valid for a specific location, domain, or sub-section of a domain such as one certificate for support.example.com that is not valid for marketing.example.com. If you encounter this problem, contact the webmaster for the web site to inform them of the problem.
  • There is a DNS or routing problem. If the web site’s certificate cannot be verified, it will not be accepted. Generally to be verified, your system checks with the third party certificate signing authority to verify the certificate is valid. If you cannot reach that third party due to some DNS or routing error, the certificate will not be verified.
  • Firewall is blocking required ports. Ensure that any firewalls between the requesting computer and the web site allow the secure traffic through the firewall. Otherwise a hole must be opened to allow it through. This includes ports such as 443 (HTTPS) and 22 (SSH).

Installing a CA root certificate and CRL to authenticate remote clients

Installing a CA root certificate and CRL to authenticate remote clients

When you apply for a signed personal or group certificate to install on remote clients, you can obtain the corresponding root certificate and CRL from the issuing CA. When you receive the signed personal or group certificate, install the signed certificate on the remote client(s) according to the browser documentation. Install the corresponding root certificate (and CRL) from the issuing CA on the FortiGate unit according to the procedures given below.

To install a CA root certificate

1. After you download the root certificate of the CA, save the certificate on the management computer. Or, you can use online SCEP to retrieve the certificate.

2. On the FortiGate unit, go to System > Certificates > Import > CA Certificates.

3. Do one of the following:

  • To import using SCEP, select SCEP. Enter the URL of the SCEP server from which to retrieve the CA

certificate. Optionally, enter identifying information of the CA, such as the filename.

  • To import from a file, select Local PC, then select Browse and find the location on the management computer where the certificate has been saved. Select the certificate, and then select Open.

5. Select OK, and then select Return.

The system assigns a unique name to each CA certificate. The names are numbered consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).

 

To import a certificate revocation list

A Certificate Revocation List (CRL) is a list of the CA certificate subscribers paired with certificate status information. The list contains the revoked certificates and the reason(s) for revocation. It also records the certificate issue dates and the CAs that issued them.

When configured to support SSL VPNs, the FortiGate unit uses the CRL to ensure that the certificates belonging to the CA and remote peers or clients are valid. The CRL has an “effective date” and a “next update” date. The interval is typically 7 days (for Microsoft CA). FortiOS will update the CRL automatically. Also, there is a CLI command to specify an “update-interval” in seconds. Recommendation should be 24 hours (86400 seconds) but depends on company security policy.

1. After you download the CRL from the CA web site, save the CRL on the management computer.

2. Go to System > Certificates > Import > CRL.

3. Do one of the following:

  • To import using an HTTP server, select HTTP and enter the URL of the HTTP server.
  • To import using an LDAP server see this KB article.
  • To import using an SCEP server, select SCEP and select the Local Certificate from the list. Enter the URL of the SCEP server from which the CRL can be retrieved.
  • To import from a file, select Local PC, then select Browse and find the location on the management computer where the CRL has been saved. Select the CRL and then select Open.

5. Select OK, and then select Return.

Obtaining and installing a signed server certificate from an external CA

Obtaining and installing a signed server certificate from an external CA

To obtain a signed server certificate for a FortiGate unit, you must send a request to a CA that provides digital certificates that adhere to the X.509 standard. The FortiGate unit provides a way for you to generate the request.

 

To submit the certificate signing request (file-based enrollment):

1. Using the web browser on the management computer, browse to the CA web site.

2. Follow the CA instructions for a base-64 encoded PKCS#10 certificate request and upload your certificate request.

3. Follow the CA instructions to download their root certificate and CRL.

When you receive the signed server certificate from the CA, install the certificate on the FortiGate unit.

 

To install or import the signed server certificate – web-based manager

1. On the FortiGate unit, go to System > Certificates > Import > Local Certificates.

2. From Type, select Local Certificate.

3. Select Browse, browse to the location on the management computer where the certificate was saved, select the certificate, and then select Open.

4. Select OK, and then select Return.

Generating certificates with CA software

Generating certificates with CA software

CA software allows you to generate unmanaged certificates and CA certificates for managing other certificates locally without using an external CA service. Examples of CA software include ssl-ca from OpenSSL (available for Linux, Windows, and Mac) or gensslcert from SuSE, MS Windows Server 2000 and 2003 come with a CA as part of their certificate services, and in MS Windows 2008 CA software can be installed as part of the Active Directory installation. See Example — Generate and Import CA certificate with private key pair on OpenSSL on page 537.

The general steps for generating certificates with CA software are

1. Install the CA software as a stand-alone root CA.

2. Provide identifying information for your self-administered CA.

While following these steps, the methods vary slightly when generating server certificates, CA certificates, and

PKI certificates.

 

Server certificate

1. Generate a Certificate Signing Request (CSR) on the FortiGate unit.

2. Copy the CSR base-64 encoded text (PKCS10 or PKCS7) into the CA software and generate the certificate.

PKCS10 is the format used to send the certificate request to the signing authority. PKCS7 is the format the signing authority can use for the newly signed certificate.

3. Export the certificate as a X.509 DER encoded binary file with .CER extension

4. Upload the certificate file to the FortiGate unit Local Certificates page (type is Certificate).

 

CA certificate

1. Retrieve the CA Certificate from the CA software as a DER encoded file.

2. Import the CA certificate file to the FortiGate unit at System > Certificates > Import > CA Certificates.

 

PKI certificate

1. Generate a Certificate Signing Request (CSR) on the FortiGate unit.

2. Copy the CSR base-64 encoded text (PKCS#10 or PKCS#7) into the CA software and generate the certificate.

PKCS10 is the format used to send the certificate request to the signing authority. PKCS7 is the format the signing authority can use for the newly signed certificate.

3. Export the certificate as a X.509 DER encoded binary file with .CER extension.

4. Install the certificate in the user’s web browser or IPsec VPN client as needed.

 

Managing X.509 certificates

Managing X.509 certificates

Managing security certificates is required due to the number of steps involved in both having a certificate request signed, and then distributing the correct files for use.

You use the FortiGate unit or CA software such as OpenSSL to generate a certificate request. That request is a text file that you send to the CA for verification, or alternately you use CA software to self-validate. Once validated, the certificate file is generated and must be imported to the FortiGate unit before it can be used. These steps are explained in more detail later in this section.

This section provides procedures for generating certificate requests, installing signed server certificates, and importing CA root certificates and CRLs to the FortiGate unit.

For information about how to install root certificates, CRLs, and personal or group certificates on a remote client browser, refer to your browser’s documentation.

This section includes:

  • Generating a certificate signing request
  • Generating certificates with CA software
  • Obtaining and installing a signed server certificate from an external CA
  • Installing a CA root certificate and CRL to authenticate remote clients
  • Troubleshooting certificates
  • Online updates to certificates and CRLs
  • Backing up and restoring local certificates

 

Generating a certificate signing request

Whether you create certificates locally with a software application or obtain them from an external certificate service, you will need to generate a certificate signing request (CSR).

When you generate a CSR, a private and public key pair is created for the FortiGate unit. The generated request includes the public key of the FortiGate unit and information such as the FortiGate unit’s public static IP address, domain name, or email address. The FortiGate unit’s private key remains confidential on the FortiGate unit.

After you submit the request to a CA, the CA will verify the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate, and you install the certificate on the FortiGate unit.

The Certificate Request Standard is a public key cryptography standard (PKCS) published by RSA, specifically PKCS10 which defines the format for CSRs. This is defined in RFC 2986.

 

To generate a certificate request in FortiOS – web-based manager:

1. Go to System > Certificates > Local Certificates.

2. Select Generate.

3. In the Certificate Name field, enter a unique meaningful name for the certificate request. Typically, this would be the hostname or serial number of the FortiGate unit or the domain of the FortiGate unit such as example.com.

Do not include spaces in the certificate name. This will ensure compatibility of a signed certificate as a PKCS12 file to be exported later on if required.

4. Enter values in the Subject Information area to identify the FortiGate unit:

  • If the FortiGate unit has a static IP address, select Host IPand enter the public IP address of the FortiGate unit. If the FortiGate unit does not have a public IP address, use an email address (or fully qualified domain name (FQDN) if available) instead.
  • If the FortiGate unit has a dynamic IP address and subscribes to a dynamic DNS service, use a FQDN if available to identify the FortiGate unit. If you select Domain Name, enter the FQDN of the FortiGate unit. Do not include the protocol specification (http://) or any port number or path names.

If a domain name is not available and the FortiGate unit subscribes to a dynamic DNS service, an “unable to verify certificate” type message may be displayed in the user’s browser whenever the public IP address of the FortiGate unit changes.

  • If you select EMail, enter the email address of the owner of the FortiGate unit.

5. Enter values in the Optional Information area to further identify the FortiGate unit.

Organization Unit                     Name of your department. You can enter a series of OUs up to a maximum of 5. To add or remove an OU, use the plus (+) or minus (-) icon.

Organization                              Legal name of your company or organization.

Locality (City)                            Name of the city or town where the FortiGate unit is installed.

State/Province                           Name of the state or province where the FortiGate unit is installed.

Country                                      Select the country where the FortiGate unit is installed.

email                                          Contact email address.

Subject Alternative Name                Optionally, enter one or more alternative names for which the certificate is also valid. Separate names with a comma. A name can be:

  • e-mail address
  • IP address
  • URI
  • DNS name (alternatives to the Common Name)
  • directory name (alternatives to the Distinguished Name)

You must precede the name with the name type. Examples: IP:1.1.1.1

email:test@fortinet.com

email:my@other.address

URI:http://my.url.here/

6. From the Key Type list, select RSA or Elliptic Curve.

7. From the Key Size list, select 1024 Bit, 1536 Bit, 2048 Bit or secp256r1, secp384r1, secp521r1 respectively.

Larger keys are slower to generate but more secure.

8. In Enrollment Method, you have two methods to choose from. Select File Based to generate the certificate request, or Online SCEP to obtain a signed SCEP-based certificate automatically over the network. For the

SCEP method, enter the URL of the SCEP server from which to retrieve the CA certificate, and the CA server challenge password.

9. Select OK.

10. The request is generated and displayed in the Local Certificates list with a status of PENDING.

11. Select the Download button to download the request to the management computer.

12. In the File Download dialog box, select Save and save the Certificate Signing Request on the local file system of the management computer.

13. Name the file and save it on the local file system of the management computer. The certificate request is ready for the certificate authority to be signed.

Firewall user groups

Firewall user groups

Firewall user groups are used locally as part of authentication. When a security policy allows access only to specified user groups, users must authenticate. If the user authenticates successfully and is a member of one of the permitted groups, the session is allowed to proceed.

This section includes:

  • SSL VPN access
  • IPsec VPN access
  • Configuring a firewall user group
  • Multiple group enforcement support
  • User group timeouts

 

SSL VPN access

SSL VPN settings include a list of the firewall user groups that can access the SSL VPN and the SSL VPN portal that each group will use. When the user connects to the FortiGate unit via HTTPS on the SSL VPN port (default 10443), the FortiGate unit requests a username and password.

SSL VPN access also requires a security policy where the destination is the SSL interface. For more information, see the FortiOS Handbook SSL VPN guide.

 

IPsec VPN access

A firewall user group can provide access for dialup users of an IPsec VPN. In this case, the IPsec VPN phase 1 configuration uses the Accept peer ID in dialup group peer option. The user’s VPN client is configured with the username as peer ID and the password as pre-shared key. The user can connect successfully to the IPsec VPN only if the username is a member of the allowed user group and the password matches the one stored on the FortiGate unit.

A user group cannot be used as a dialup group if any member of the group is authen- ticated using an external authentication server.

For more information, see the FortiOS Handbook IPsec VPN guide.

 

Configuring a firewall user group

A user group can contain:

  • local users, whether authenticated by the FortiGate unit or an authentication server
  • PKI users
  • authentication servers, optionally specifying particular user groups on the server

To create a Firewall user group – web-based manager:

1. Go to User & Device > User > User Groups and select Create New.

2. Enter a name for the user group.

3. In Type, select Firewall.

4. Add user names to to the Members list.

5. Add authentication servers to the Remote groups list.

By default all user accounts on the authentication server are members of this FortiGate user group. To include only specific user groups from the authentication server, deselect Any and enter the group name in the appropriate format for the type of server. For example, an LDAP server requires LDAP format, such as: cn=users,dn=office,dn=example,dn=com

Remote servers must already be configured in User & Device > Authentication.

6. Select OK.

Troubleshooting static routing

Troubleshooting static routing

When there are problems with your network that you believe to be static routing related, there are a few basic tools available to locate the problem.

These tools include:

  • Ping
  • Traceroute
  • Examine routing table contents

Ping

Beyond the basic connectivity information, ping can tell you the amount of packet loss (if any), how long it takes the packet to make the round trip, and the variation in that time from packet to packet.

If there is no packet loss detected, your basic network connectivity is OK. If there is some packet loss detected, you should investigate:

  • Possible ECMP, split horizon, network loops
  • Cabling to ensure no loose connections

If there is total packet loss, you should investigate:

  • Hardware – ensure cabling is correct, and all equipment between the two locations is accounted for
  • Addresses and routes – ensure all IP addresses and routing information along the route is configured as expected
  • Firewalls – ensure all firewalls are set to allow PING to pass through

To ping from a Windows PC

1. Go to a DOS prompt. Typically you go to Start > Run, enter cmd and select OK.

2. Enter ping 11.101.100 to ping the default internal interface of the FortiGate unit with four packets.

 

To ping from an Apple computer

1. Open the Terminal.

2. Enter ping 11.101.100.

3. If the ping fails, it will stop after a set number of attempts. If it succeeds, it will continue to ping repeatedly. Press

Control+C to end the attempt and see gathered data.

To ping from a Linux PC

1. Go to a command line prompt.

2. Enter “/bin/etc/ping 11.101.101”.

 

Traceroute

Where ping will only tell you if it reached its destination and came back successfully, traceroute will show each step of its journey to its destination and how long each step takes. If ping finds an outage between two points, traceroute can be used to locate exactly where the problem is.

 

To use traceroute on an Windows PC

1. Go to a DOS prompt. Typically you go to Start > Run, enter “cmd” and select OK.

2. Enter “tracert com” to trace the route from the PC to the Fortinet website.

To use traceroute from an Apple computer

1. Open the Terminal.

2. Enter traceroute com.

3. The terminal will list the number of steps made. Upon reaching the destination, it will list three asterisks per line.

Press Control+C to end the attempt.

 

To use traceroute on a Linux PC

1. Go to a command line prompt.

2. Enter “/bin/etc/traceroute com”.

The Linux traceroute output is very similar to the MS Windows traceroute output.

 

Examine routing table contents

The first place to look for information is the routing table.

The routing table is where all the currently used routes are stored for both static and dynamic protocols. If a route is in the routing table, it saves the time and resources of a lookup. If a route isn’t used for a while and a new route needs to be added, the oldest least used route is bumped if the routing table is full. This ensures the most recently used routes stay in the table. Note that if your FortiGate unit is in Transparent mode, you are unable to perform this step.

If the FortiGate is running in NAT mode, verify that all desired routes are in the routing table: local subnets, default routes, specific static routes, and dynamic routing protocols.

To check the routing table in the web-based manager, use the Routing Monitor — go to Router > Monitor > Routing Monitor. In the CLI, use the command get router info routing-table all.

Route priority

Route priority

After the FortiGate unit selects static routes for the forwarding table based on their administrative distances, the priority field of those routes determines routing preference. Priority is a Fortinet value that may or may not be present in other brands of routers.

You can configure the priority field through the CLI or the web-based manager. Priority values can range from 0 to

4 294 967 295. The route with the lowest value in the priority field is considered the best route. It is also the primary route.

To change the priority of a route – web-based manager

1. Go to Router > Static > Static Routes.

2. Select the route entry, and select Edit.

3. Select Advanced.

4. Enter the Priority value.

5. Select OK.

 

To change the priority of a route – CLI

The following command changes the priority to 5 for a route to the address 10.10.10.1 on the port1

interface.

config router static edit 1

set device port1

set gateway 10.10.10.10 set dst 10.10.10.1

set priority 5 end

If there are other routes set to priority 10, the route set to priority 5 will be preferred. If there are routes set to priorities less than 5, those other routes will be preferred instead.

In summary, because you can use the CLI to specify which sequence numbers or priority field settings to use when defining static routes, you can prioritize routes to the same destination according to their priority field settings. For a static route to be the preferred route, you must create the route using the config router static CLI command and specify a low priority for the route. If two routes have the same administrative distance and the same priority, then they are equal cost multipath (ECMP) routes.

Since this means there is more than one route to the same destination, it can be confusing which route or routes to install and use. However, if you have enabled load balancing with ECMP routes, then different sessions will resolve this problem by using different routes to the same address.