Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.4.6 Administration Guide
    7.4.6
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Local certificates

    Local certificates

    The FortiAnalyzer unit generates a certificate request based on the information you enter to identify the FortiAnalyzer unit. After you generate a certificate request, you can download the request to a computer that has management access to the FortiAnalyzer unit and then forward the request to a CA.

    The certificate window also enables you to export certificates for authentication, importing, and viewing.

    The FortiAnalyzer has one default local certificate: Fortinet_Local.

    You can manage local certificates from the System Settings > Certificates page. Some options are available in the toolbar and some are also available in the right-click menu.

    Note

    In order to safeguard against compromise, in FortiAnalyzer 7.4.6, FAZ-VM license files contain a unique certificate which is tied to the device's serial number.

    Creating a local certificate

    To create a certificate request:
    1. Go to System Settings > Certificates.
    2. Click Create New/Import > Generate CSR in the toolbar. The Generate Certificate Signing Request pane opens.
    3. Enter the following information as required, then click OK to save the certificate request:

      Certificate Name

      The name of the certificate.

      Subject Information

      Select the ID type from the dropdown list:

      • Host IP: Select if the unit has a static IP address. Enter the public IP address of the unit in the Host IP field.
      • Domain Name: Select if the unit has a dynamic IP address and subscribes to a dynamic DNS service. Enter the domain name of the unit in the Domain Name field.
      • Email: Select to use an email address. Enter the email address in the Email Address field.

      Optional Information

      Organization Unit (OU)

      The name of the department. You can enter a series of OUs up to a maximum of 5. To add or remove an OU, use the plus (+) or minus (-) icons.

      Organization (O)

      Legal name of the company or organization.

      Locality (L)

      Name of the city or town where the device is installed.

      State/Province (ST)

      Name of the state or province where the FortiGate unit is installed.

      Country (C)

      Select the country where the unit is installed from the dropdown list.

      E-mail Address (EA)

      Contact email address.

      Subject Alternative Name

      Optionally, enter one or more alternative names for which the certificate is also valid. Separate names with a comma.

      A name can be:

      • e-mail address
      • IP address
      • URI
      • DNS name (alternatives to the Common Name)
      • directory name (alternatives to the Distinguished Name)

      You must precede the name with the name type. Examples:

      • IP:1.1.1.1
      • email:test@fortinet.com
      • email:my@other.address
      • URI:http://my.url.here/

      Key Type

      The key type can be RSA or Elliptic Curve.

      Key Size

      Select the key size from the dropdown list: 512 Bit, 1024 Bit, 1536 Bit, or 2048 Bit. This option is only available when the key type is RSA.

      Curve Name

      Select the curve name from the dropdown list: secp256r1 (default), secp384r1, or secp521r1. This option is only available when the key type is Elliptic Curve.

      Enrollment Method

      The enrollment method is set to File Based.

    Importing local certificates

    To import a local certificate:
    1. Go to System Settings > Certificates.
    2. Click Create New/Import > Local Certificate in the toolbar.
    3. Enter the following information as required, then click OK to import the local certificate:

      Type

      Select the certificate type from the dropdown list: Local Certificate, PKCS #12 Certificate, or Certificate.

      Certificate File

      Click Browse... and locate the certificate file on the management computer, or drag and drop the file onto the dialog box.

      Key File

      Click Browse... and locate the key file on the management computer, or drag and drop the file onto the dialog box.

      This option is only available when Type is Certificate.

      Password

      Enter the certificate password.

      This option is only available when Type is PKCS #12 Certificate or Certificate.

      Certificate Name

      Enter the certificate name.

      This option is only available when Type is PKCS #12 Certificate or Certificate.

    Deleting local certificates

    To delete a local certificate or certificates:
    1. Go to System Settings > Certificates.
    2. Select the certificate or certificates you need to delete.
    3. Click Delete in the toolbar, or right-click and select Delete.
    4. Click OK in the confirmation dialog box to delete the selected certificate or certificates.

    Viewing details of local certificates

    To view details of a local certificate:
    1. Go to System Settings > Certificates.
    2. Select the certificates that you would like to see details about, then click View Certificate Detail in the toolbar or right-click menu. The View Local Certificate page opens.

    3. Click OK to return to the local certificates list.

    Downloading local certificates

    To download a local certificate:
    1. Go to System Settings > Certificates.
    2. Select the certificate that you need to download.
    3. Click Download in the toolbar, or right-click and select Download, and save the certificate to the management computer.
    Note

    When an object is added to a policy package and assigned to an ADOM, the object is available in all devices that are part of the ADOM. If the object is renamed on a device locally, FortiManager automatically syncs the renamed object to the ADOM.
    Using a local certificate for OFTP connection

    You can configure FortiAnalyzer to use an externally signed local (custom) certificate for OFTP connection between FortiGate and FortiAnalyzer for logging.

    The below example uses FortiGate as the logging device; however, you can use the same process to import a certificate for syslog devices logging over TLS. Make sure to complete the config and check connection according to the syslog device you are using.

    To generate a certificate signing request from FortiAnalyzer:

    1. Go to System Settings > Certificates > Local Certificates.

    2. Click Create New/Import > Generate CSR.

    3. Enter the relevant information in the certificate signing request, and then click OK.

      Note

      If certificate validation is enabled on FortiGate, you must enter the FortiAnalyzer serial number in the Domain Name field.

    4. Select the newly created CSR and click Download.

    5. To generate the certificate, sign the CSR with either a public CA or private CA.

      For example, you can use a FortiAuthenticator to sign the CSR. For more information, see the FortiAuthenticator Administration Guide.

    6. After signing the CSR, export and download the certificate.

    7. In FortiAnalyzer, import the signed certificate:

      1. Go to System Settings > Certificates > Local Certificates.

      2. Click Create New/Import > Certificate.

      3. In the Type field, select Local Certificate.

      4. In the Certificate File field, drag and drop or select the signed certificate.

      5. Click OK.

    8. The certificate status will change from PENDING to OK once the certificate is uploaded correctly.

    To configure the use of the local certificate and restart the OFTP daemon:

    1. Once the certificate has been imported, enter the following command in the FortiAnalyzer CLI to use the local certificate:

      config system certificate oftp

      set mode local

      set local "<name of the certificate>"

      end

    2. In the FortiAnalyzer CLI, enter the following command to restart the OFTP daemon:

      diagnose test application oftpd 99

    3. If a private CA was used, you must import the CA certificate in the FortiGate.

    4. Validate the connection status to FortiAnalyzer in the FortiGate.

      In the FortiGate GUI, you can validate the connection in Security Fabric > Fabric Connectors > Logging & Analytics > FortiAnalyzer.

      In the FortiGate CLI, you can run the following command to validate the connection:

      execute log fortianalyzer test-connectivity

      For example:

      FGT-kvm2 # execute log fortianalyzer test-connectivity
FortiAnalyzer Host Name: FAZ-kvm1
FortiAnalyzer Adom Name: root
FortiGate Device ID: FGVM#######
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 39960108B/53687091200B
Analytics Usage (Used/Allocated): 37919829B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 60/60 Days
Archive Usage (Used/Allocated): 2040279B/16106127360B
Log: Tx & Rx (33 logs received since 11:08:11 09/27/22)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx

Certificate of Fortianalyzer valid and serial number is:FAZ-VM####

      For more information, see the FortiGate / FortiOS Administration Guide.

    Previous
    Next

    Local certificates

    Local certificates

    The FortiAnalyzer unit generates a certificate request based on the information you enter to identify the FortiAnalyzer unit. After you generate a certificate request, you can download the request to a computer that has management access to the FortiAnalyzer unit and then forward the request to a CA.

    The certificate window also enables you to export certificates for authentication, importing, and viewing.

    The FortiAnalyzer has one default local certificate: Fortinet_Local.

    You can manage local certificates from the System Settings > Certificates page. Some options are available in the toolbar and some are also available in the right-click menu.

    Note

    In order to safeguard against compromise, in FortiAnalyzer 7.4.6, FAZ-VM license files contain a unique certificate which is tied to the device's serial number.

    Creating a local certificate

    To create a certificate request:
    1. Go to System Settings > Certificates.
    2. Click Create New/Import > Generate CSR in the toolbar. The Generate Certificate Signing Request pane opens.
    3. Enter the following information as required, then click OK to save the certificate request:

      Certificate Name

      The name of the certificate.

      Subject Information

      Select the ID type from the dropdown list:

      • Host IP: Select if the unit has a static IP address. Enter the public IP address of the unit in the Host IP field.
      • Domain Name: Select if the unit has a dynamic IP address and subscribes to a dynamic DNS service. Enter the domain name of the unit in the Domain Name field.
      • Email: Select to use an email address. Enter the email address in the Email Address field.

      Optional Information

      Organization Unit (OU)

      The name of the department. You can enter a series of OUs up to a maximum of 5. To add or remove an OU, use the plus (+) or minus (-) icons.

      Organization (O)

      Legal name of the company or organization.

      Locality (L)

      Name of the city or town where the device is installed.

      State/Province (ST)

      Name of the state or province where the FortiGate unit is installed.

      Country (C)

      Select the country where the unit is installed from the dropdown list.

      E-mail Address (EA)

      Contact email address.

      Subject Alternative Name

      Optionally, enter one or more alternative names for which the certificate is also valid. Separate names with a comma.

      A name can be:

      • e-mail address
      • IP address
      • URI
      • DNS name (alternatives to the Common Name)
      • directory name (alternatives to the Distinguished Name)

      You must precede the name with the name type. Examples:

      • IP:1.1.1.1
      • email:test@fortinet.com
      • email:my@other.address
      • URI:http://my.url.here/

      Key Type

      The key type can be RSA or Elliptic Curve.

      Key Size

      Select the key size from the dropdown list: 512 Bit, 1024 Bit, 1536 Bit, or 2048 Bit. This option is only available when the key type is RSA.

      Curve Name

      Select the curve name from the dropdown list: secp256r1 (default), secp384r1, or secp521r1. This option is only available when the key type is Elliptic Curve.

      Enrollment Method

      The enrollment method is set to File Based.

    Importing local certificates

    To import a local certificate:
    1. Go to System Settings > Certificates.
    2. Click Create New/Import > Local Certificate in the toolbar.
    3. Enter the following information as required, then click OK to import the local certificate:

      Type

      Select the certificate type from the dropdown list: Local Certificate, PKCS #12 Certificate, or Certificate.

      Certificate File

      Click Browse... and locate the certificate file on the management computer, or drag and drop the file onto the dialog box.

      Key File

      Click Browse... and locate the key file on the management computer, or drag and drop the file onto the dialog box.

      This option is only available when Type is Certificate.

      Password

      Enter the certificate password.

      This option is only available when Type is PKCS #12 Certificate or Certificate.

      Certificate Name

      Enter the certificate name.

      This option is only available when Type is PKCS #12 Certificate or Certificate.

    Deleting local certificates

    To delete a local certificate or certificates:
    1. Go to System Settings > Certificates.
    2. Select the certificate or certificates you need to delete.
    3. Click Delete in the toolbar, or right-click and select Delete.
    4. Click OK in the confirmation dialog box to delete the selected certificate or certificates.

    Viewing details of local certificates

    To view details of a local certificate:
    1. Go to System Settings > Certificates.
    2. Select the certificates that you would like to see details about, then click View Certificate Detail in the toolbar or right-click menu. The View Local Certificate page opens.

    3. Click OK to return to the local certificates list.

    Downloading local certificates

    To download a local certificate:
    1. Go to System Settings > Certificates.
    2. Select the certificate that you need to download.
    3. Click Download in the toolbar, or right-click and select Download, and save the certificate to the management computer.
    Note

    When an object is added to a policy package and assigned to an ADOM, the object is available in all devices that are part of the ADOM. If the object is renamed on a device locally, FortiManager automatically syncs the renamed object to the ADOM.
    Using a local certificate for OFTP connection

    You can configure FortiAnalyzer to use an externally signed local (custom) certificate for OFTP connection between FortiGate and FortiAnalyzer for logging.

    The below example uses FortiGate as the logging device; however, you can use the same process to import a certificate for syslog devices logging over TLS. Make sure to complete the config and check connection according to the syslog device you are using.

    To generate a certificate signing request from FortiAnalyzer:

    1. Go to System Settings > Certificates > Local Certificates.

    2. Click Create New/Import > Generate CSR.

    3. Enter the relevant information in the certificate signing request, and then click OK.

      Note

      If certificate validation is enabled on FortiGate, you must enter the FortiAnalyzer serial number in the Domain Name field.

    4. Select the newly created CSR and click Download.

    5. To generate the certificate, sign the CSR with either a public CA or private CA.

      For example, you can use a FortiAuthenticator to sign the CSR. For more information, see the FortiAuthenticator Administration Guide.

    6. After signing the CSR, export and download the certificate.

    7. In FortiAnalyzer, import the signed certificate:

      1. Go to System Settings > Certificates > Local Certificates.

      2. Click Create New/Import > Certificate.

      3. In the Type field, select Local Certificate.

      4. In the Certificate File field, drag and drop or select the signed certificate.

      5. Click OK.

    8. The certificate status will change from PENDING to OK once the certificate is uploaded correctly.

    To configure the use of the local certificate and restart the OFTP daemon:

    1. Once the certificate has been imported, enter the following command in the FortiAnalyzer CLI to use the local certificate:

      config system certificate oftp

      set mode local

      set local "<name of the certificate>"

      end

    2. In the FortiAnalyzer CLI, enter the following command to restart the OFTP daemon:

      diagnose test application oftpd 99

    3. If a private CA was used, you must import the CA certificate in the FortiGate.

    4. Validate the connection status to FortiAnalyzer in the FortiGate.

      In the FortiGate GUI, you can validate the connection in Security Fabric > Fabric Connectors > Logging & Analytics > FortiAnalyzer.

      In the FortiGate CLI, you can run the following command to validate the connection:

      execute log fortianalyzer test-connectivity

      For example:

      FGT-kvm2 # execute log fortianalyzer test-connectivity
FortiAnalyzer Host Name: FAZ-kvm1
FortiAnalyzer Adom Name: root
FortiGate Device ID: FGVM#######
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 39960108B/53687091200B
Analytics Usage (Used/Allocated): 37919829B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 60/60 Days
Archive Usage (Used/Allocated): 2040279B/16106127360B
Log: Tx & Rx (33 logs received since 11:08:11 09/27/22)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx

Certificate of Fortianalyzer valid and serial number is:FAZ-VM####

      For more information, see the FortiGate / FortiOS Administration Guide.

    Previous
    Next