Test cases
The following are test cases performed using the HA setup configured here: FortiAnalyzer HA setup with non-public IP as VIP
Prerequisite
After configuring the HA setup, the following are further prerequisites completed before performing the test cases.
Enable shell on FortiAnalyzer:
In the FortiAnalyzer CLI, enter the following command:
config system admin setting
set shell-access enable
set shell-password `your_secret_password`
end
Checking which CA certificate is retrieved by each FortiAnalyzer:
In the fazha001 CLI, enter the following command:
execute shell
Enter password: `your_secret_password`
bash$
bash$ curl -k -v https://management.azure.com//subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/CMM_RG_FAZHA/providers/Microsoft.Network/networkInterfaces/?api-version=2021-08-01
* Trying 13.69.114.0:443...
* Connected to management.azure.com (13.69.114.0) port 443 (#0)
* ALPN: offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN: server accepted http/1.1
* Server certificate:
* subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=management.azure.com
* start date: Dec 26 18:48:58 2022 GMT
* expire date: Dec 21 18:48:58 2023 GMT
* issuer: C=US; O=Microsoft Corporation; CN=Microsoft Azure TLS Issuing CA 06
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET //subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/CMM_RG_FAZHA/providers/Microsoft.Network/networkInterfaces/?api-version=2021-08-01 HTTP/1.1
> Host: management.azure.com
> User-Agent: curl/7.84.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: application/json; charset=utf-8
< Expires: -1
< WWW-Authenticate: Bearer authorization_uri="https://login.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", error="invalid_token", error_description="The authentication failed because of missing 'Authorization' header."
< x-ms-failure-cause: gateway
< x-ms-request-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
< x-ms-correlation-request-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
< x-ms-routing-request-id: WESTEUROPE:20230202T130102Z:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< Date: Thu, 02 Feb 2023 13:01:01 GMT
< Connection: close
< Content-Length: 115
<
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
{"error":{"code":"AuthenticationFailed","message":"Authentication failed. The 'Authorization' header is missing."}}
In the fazha002 CLI, enter the following command:
execute shell
Enter password: `your_secret_password`
bash$
bash$ curl -k -v https://management.azure.com//subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/CMM_RG_FAZHA/providers/Microsoft.Network/networkInterfaces/?api-version=2021-08-01
* Trying 20.61.101.39:443...
* Connected to management.azure.com (20.61.101.39) port 443 (#0)
* ALPN: offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN: server accepted http/1.1
* Server certificate:
* subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=management.azure.com
* start date: Dec 26 18:48:58 2022 GMT
* expire date: Dec 21 18:48:58 2023 GMT
* issuer: C=US; O=Microsoft Corporation; CN=Microsoft Azure TLS Issuing CA 06
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET //subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/CMM_RG_FAZHA/providers/Microsoft.Network/networkInterfaces/?api-version=2021-08-01 HTTP/1.1
> Host: management.azure.com
> User-Agent: curl/7.84.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: application/json; charset=utf-8
< Expires: -1
< WWW-Authenticate: Bearer authorization_uri="https://login.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", error="invalid_token", error_description="The authentication failed because of missing 'Authorization' header."
< x-ms-failure-cause: gateway
< x-ms-request-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
< x-ms-correlation-request-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
< x-ms-routing-request-id: WESTEUROPE:20230202T144644Z:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< Date: Thu, 02 Feb 2023 14:46:44 GMT
< Connection: close
< Content-Length: 115
<
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
{"error":{"code":"AuthenticationFailed","message":"Authentication failed. The 'Authorization' header is missing."}}
|
In the output above we can identify that the issuer of the used server certifcate is called |
DUT:
|
Name |
URL or public IP |
private IP |
User |
PWD |
|---|---|---|---|---|
|
FAZHA001 |
https://13.69.84.16/p/login/ |
10.0.10.4 |
myadmin |
***** |
|
FAZHA002 |
https://20.234.143.77/p/login/ |
10.0.10.5 |
myadmin |
***** |
|
lynx001 |
ssh azureuser@4.231.109.9 |
10.0.10.6 |
azureuser |
***** |
Network overview:
