Fortinet black logo

New Features

Certificate expiration trigger 7.2.1

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:470232
Download PDF

Certificate expiration trigger 7.2.1

The local certificate expiry trigger (local-certificate-near-expiry) can be used in an automation stitch if a user-supplied local certificate used for SSL VPN, deep inspection, or other purpose is about to expire. This trigger relies on a VPN certificate setting in the CLI configuration setting for the certificate log expiring warning threshold:

config vpn certificate setting
    set cert-expire-warning <integer>
end

cert-expire-warning <integer>

Set the certificate log expiring warning threshold, in days (0 - 100, default = 14).

Example

In this example, the local certificate expiry trigger is used with an email notification action to remind an administrator to re-sign or load a new local certificate to avoid any service interruptions. The local certificate, fw-cert-30-days, will expire in 30 days. The certificate log expiring warning threshold is set to 31 days.

To configure the certificate log expiring warning threshold:
config vpn certificate setting
    set cert-expire-warning 31
end
To configure an automation stitch with the local certificate expiry trigger in the GUI:
  1. Configure the trigger:

    1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

    2. In the System section, click Local Certificate Expiry, and enter the following:

      Name

      Local Cert Expired Notification

      Description

      Default automation trigger configuration for when a local certificate is near expiration.

    3. Click OK.

  2. Configure the action:

    1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

    2. In the Notifications section, click Email, and enter the following:

      Name

      email_no_rep_message

      To

      Enter an email address.

      Subject

      CSF stitch alert

    3. Click OK.

  3. Configure the stitch:

    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, cert-expiry.

    3. Click Add Trigger. Select Local Cert Expired Notification and click Apply.

    4. Click Add Action. Select email_no_rep_message and click Apply.

    5. Click OK.

To configure an automation stitch with the local certificate expiry trigger in the CLI:
  1. Configure the trigger:
    config system automation-trigger
        edit "Local Cert Expired Notification"
            set description "Default automation trigger configuration for when a local certificate is near expiration."
            set event-type local-cert-near-expiry
        next
    end
  2. Configure the action:
    config system automation-action
        edit "email_no_rep_message"
            set action-type email
            set email-to "*******@fortinet.com"
            set email-subject "CSF stitch alert"
        next
    end
  3. Configure the stitch:
    config system automation-stitch
        edit "cert-expiry"
            set trigger "Local Cert Expired Notification"
            config actions
                edit 1
                    set action "email_no_rep_message"
                    set required enable
                next
            end
        next
    end

Verification

Once the event log is generated for the local certificate expiry, the automation stitch is triggered end the email notification is sent.

To confirm that the stitch was triggered in the GUI:
  1. Go to Security Fabric > Automation and select the Stitch tab.
  2. Verify the Last Triggered column.

To confirm that the stitch was triggered in the CLI:
# diagnose test application autod 3
alert mail log count: 0

stitch: cert-expiry

        local hit: 1 relayed to: 0 relayed from: 0
        last trigger:Thu Jun 23 09:32:21 2022
        last relay:
        actions:
                email_no_rep_message:
                        done: 1 relayed to: 0 relayed from: 0
                        last trigger:Thu Jun 23 09:32:21 2022
                        last relay:

logid to stitch mapping:
id:22207  local hit: 1 relayed hits: 0
        cert-expiry

Certificate expiration trigger 7.2.1

The local certificate expiry trigger (local-certificate-near-expiry) can be used in an automation stitch if a user-supplied local certificate used for SSL VPN, deep inspection, or other purpose is about to expire. This trigger relies on a VPN certificate setting in the CLI configuration setting for the certificate log expiring warning threshold:

config vpn certificate setting
    set cert-expire-warning <integer>
end

cert-expire-warning <integer>

Set the certificate log expiring warning threshold, in days (0 - 100, default = 14).

Example

In this example, the local certificate expiry trigger is used with an email notification action to remind an administrator to re-sign or load a new local certificate to avoid any service interruptions. The local certificate, fw-cert-30-days, will expire in 30 days. The certificate log expiring warning threshold is set to 31 days.

To configure the certificate log expiring warning threshold:
config vpn certificate setting
    set cert-expire-warning 31
end
To configure an automation stitch with the local certificate expiry trigger in the GUI:
  1. Configure the trigger:

    1. Go to Security Fabric > Automation, select the Trigger tab, and click Create New.

    2. In the System section, click Local Certificate Expiry, and enter the following:

      Name

      Local Cert Expired Notification

      Description

      Default automation trigger configuration for when a local certificate is near expiration.

    3. Click OK.

  2. Configure the action:

    1. Go to Security Fabric > Automation, select the Action tab, and click Create New.

    2. In the Notifications section, click Email, and enter the following:

      Name

      email_no_rep_message

      To

      Enter an email address.

      Subject

      CSF stitch alert

    3. Click OK.

  3. Configure the stitch:

    1. Go to Security Fabric > Automation, select the Stitch tab, and click Create New.

    2. Enter the name, cert-expiry.

    3. Click Add Trigger. Select Local Cert Expired Notification and click Apply.

    4. Click Add Action. Select email_no_rep_message and click Apply.

    5. Click OK.

To configure an automation stitch with the local certificate expiry trigger in the CLI:
  1. Configure the trigger:
    config system automation-trigger
        edit "Local Cert Expired Notification"
            set description "Default automation trigger configuration for when a local certificate is near expiration."
            set event-type local-cert-near-expiry
        next
    end
  2. Configure the action:
    config system automation-action
        edit "email_no_rep_message"
            set action-type email
            set email-to "*******@fortinet.com"
            set email-subject "CSF stitch alert"
        next
    end
  3. Configure the stitch:
    config system automation-stitch
        edit "cert-expiry"
            set trigger "Local Cert Expired Notification"
            config actions
                edit 1
                    set action "email_no_rep_message"
                    set required enable
                next
            end
        next
    end

Verification

Once the event log is generated for the local certificate expiry, the automation stitch is triggered end the email notification is sent.

To confirm that the stitch was triggered in the GUI:
  1. Go to Security Fabric > Automation and select the Stitch tab.
  2. Verify the Last Triggered column.

To confirm that the stitch was triggered in the CLI:
# diagnose test application autod 3
alert mail log count: 0

stitch: cert-expiry

        local hit: 1 relayed to: 0 relayed from: 0
        last trigger:Thu Jun 23 09:32:21 2022
        last relay:
        actions:
                email_no_rep_message:
                        done: 1 relayed to: 0 relayed from: 0
                        last trigger:Thu Jun 23 09:32:21 2022
                        last relay:

logid to stitch mapping:
id:22207  local hit: 1 relayed hits: 0
        cert-expiry