For this recipe, you will create a certificate on the FortiGate, have it signed on the FortiAuthenticator, and configure the FortiGate so that the certificate can be used for SSL deep inspection of HTTPS traffic.
Note that, for this configuration to work correctly, the FortiAuthenticator must be configured as a certificate authority (CA), otherwise the certificate created in this recipe will not be trusted. For more information on how to do this, see FortiAuthenticator as a Certificate Authority.
This scenario includes creating a certificate signing request (CSR), signing the certificate on the FortiAuthenticator, and downloading the signed certificate back to the FortiGate. You will then create an SSL/SSH Inspection profile for full SSL inspection, add the certificate created to the profile, and apply the profile to the policy allowing Internet access.
As an example, you will also have Application Control with Deep Inspection of Cloud Applications enabled. This will apply inspection to HTTPS traffic. Note that you may use another security profile instead of Application Control.
1. Creating a CSR on the FortiGate |
|
|
On the FortiGate, go to System > Certificates and select Generate to create a new CSR. Enter a Certificate Name (Ramtops), the public IP of the FortiGate (172.20.121.92), and a valid email address. Make sure to set Key Type to RSA and Key Size to 2048 Bit. This will ensure the certificate is securely encrypted. |
 |
|
Once created, the certificate Ramtops will show a Status of Pending. Highlight Ramtops and select Download. This will save a .csr file to your local drive. |
|
2. Creating an Intermediate CA on the FortiAuthenticator |
|
|
On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select Import. Set Type to CSR to sign, enter a Certificate ID, and import the Ramtops.csr file. Make sure to select the Certificate authority from the dropdown menu and set the Hash algorithm to SHA-256. |
 |
|
Once imported, you should see that Ramtops has been signed by the FortiAuthenticator, showing a Status of Active, and with the CA Type of Intermediate (non-signing) CA. Highlight the certificate and select Export. This will save a .crt file to your local drive. |
|
3. Importing the signed certificate on the FortiGate |
|
|
Back on the FortiGate, go to System > Certificates and select Local Certificate from the Import dropdown menu. Browse to the Ramtops.crt file and select OK. |
|
|
You should now see that Ramtops has a Status of OK. |
 |
4. Configuring Application Control |
|
|
Go to Security Profiles > Application Control and edit the default profile. Under Options, enable Deep Inspection of Cloud Applications. |
 |
5. Configuring full SSL inspection |
|
|
Go to Policy & Objects > Policy > SSL/SSH Inspection and create a new profile. Enter a Name, select Ramtops from the CA Certificate dropdown menu, and make sure Inspection Method is set to Full SSL Inspection. |
 |
|
Next go to Policy & Objects > Policy > IPv4 and edit the policy that allows Internet access. Under Security Profiles, enable SSL/SSH Inspection and select the ramtops profile created earlier. Enable Application Control and set it to default. |
 |
6. Results |
|
|
To test the certificate, open your web browser and attempt to navigate to an HTTPS website (in the example, https://www.dropbox.com). If you click on the lock icon next to the address bar, you should now see that the certificate from the FortiGate (172.20.121.92) has signed and verified access to the site. As a result, no certificate errors will appear. |
 |
The post FortiAuthenticator certificate for SSL inspection appeared first on Fortinet Cookbook.