FortiGuard anycast and third-party SSL validation
Anycast optimizes routing performance to FortiGuard servers. It is the default FortiGuard access mode.
Using Fortinet DNS servers, the FortiGate receives a single IP address for the domain name of each FortiGuard service. BGP routing optimization is transparent to the FortiGate. The domain name of each FortiGuard service is the common name in that service's certificate, which is signed by a third-party intermediate CA. The FortiGuard server uses third-party certificate verification and the Online Certificate Status Protocol (OCSP) stapling check, so that the FortiGate can always validate the FortiGuard server certificate efficiently.
FortiGate will only complete the TLS handshake with an anycast server that has a good OCSP status for its certificate. Any other status will result in a failed SSL connection. OCSP stapling is reflected on the signature interval so that good means that the certificate is not revoked at that timestamp. The FortiGuard servers query the CA's OCSP responder every four hours and update its OCSP status. If the FortiGuard is unable to reach the OCSP responder, it will keep the last known OCSP status for up to seven days. This cached OCSP status will be sent out immediately when a client connection request is made, optimizing the response time.
FortiGuard represents all cloud based servers; see Anycast and unicast services for details.
The anycast server has one IP address to match its domain name. The FortiGate connects with a single server address, using HTTPS and port 443, regardless of where the FortiGate is located.
To configure the anycast FortiGuard access mode:
config system fortiguard set fortiguard-anycast {enable | disable} set fortiguard-anycast-source {fortinet | aws} end
Connection process
The following process is used to connect to an anycast server:
- The FortiGate embeds the CA_bundle certificate, which includes the root CA with CRL list and third-party intermediate CA, in the root CA level.
- The FortiGate finds the FortiGuard IP address from its domain name from DNS.
- The FortiGate starts a TLS handshake with the FortiGuard IP address. The client hello includes an extension of the status request.
- The FortiGuard servers provide a certificate with its OCSP status: good, revoked, or unknown.
- The FortiGate verifies the CA chain against the root CA in the CA_bundle.
- The FortiGate verifies the intermediate CA's revoke status against the root CA's CRL.
- The FortiGate verifies the FortiGuard certificate's OCSP status:
OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 3DD350A5D6A0ADEEF34A600A65D321D4F8F8D60F Produced At: Aug 20 07:50:58 2019 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 49F4BD8A18BF760698C5DE402D683B716AE4E686 Issuer Key Hash: 3DD350A5D6A0ADEEF34A600A65D321D4F8F8D60F Serial Number: 02555C9F3901B799DF1873402FA9392D Cert Status: good This Update: Aug 20 07:50:58 2019 GMT Next Update: Aug 27 07:05:58 2019 GMT
Abort conditions include:
- The CN in the server's certificate does not match the domain name resolved from the DNS.
- The OCSP status is not good.
- The issuer-CA is revoked by the root-CA.
- Once the SSL handshake is established, the FortiGate can engage the server.
Example Wireshark PCAP: