Fortinet white logo
Fortinet white logo

Administration Guide

Microsoft CA deep packet inspection

Microsoft CA deep packet inspection

In most production environments, you want to use a certificate issued be your own PKI for deep packet inspection (DPI).

An existing Microsoft root CA can be used to issue a subordinate CA (sub CA) certificate that is installed as a DPI certificate on the FortiGate.

Complete the following steps to create your own sub CA certificate and use it for DPI:

  1. Create a Microsoft sub CA certificate
  2. Export the certificate and private key
  3. Import the certificate and private key into the FortiGate
  4. Configure a firewall policy for DPI
  5. Verify that the sub CA certificate is being used for DPI

The FortiGate firewall uses information in the original web server certificate, then issues a new certificate signed by the Microsoft DPI certificate. The FortiGate then sends this certificate with the issuing DPI certificate to the client's web browser when the SSL session is being established.

The browser verifies that the certificate was issued by a valid CA, then looks for the issuing CA of the Microsoft DPI certificate in its loca trusted root CA store to complete the path to trusted root CA.

The Microsoft CA root certificate is normally deployed to all client PCs in the Windows domain, so the client can complete the certificate path up to a trusted root CA. The FortiGate now controls and can inspect the two HTTPS sessions: one with the external web server, and one with the client PC.

Create a Microsoft sub CA certificate

A Microsoft sub CA certificate can be created on a Microsoft CA server, or remotely using a web browser.

Creating a certificate remotely requires that the web enrollment option is configured on the Microsoft CA server. Remote certificate requests require HTTPS; requests are not allowed with HTTP.

To create a Microsoft sub CA certificate remotely:
  1. Open a web browser and go to one of the following URLs:
    • https://<FQDN-CA-server>/CertSrv
    • https://<IP-CA-server>/CertSrv.
  2. Log in to a domain administrator account that has web enrollment rights.

  3. Click Request a certificate.
  4. Click advanced certificate request.

  5. Click Create and submit a request to this CA, then click Yes in the Web Access Confirmation warning.
  6. For the Certificate Template, select Subordinate Certification Authority.
  7. Enable Mark keys as exportable.
  8. Fill out the remaining information according to your security policy.

  9. Submit the request.
  10. Click Yes in the Web Access Confirmation warning.
  11. Click Install this certificate.

    The certificate and private key are located in the current user's certificate store.

Export the certificate and private key

To export the certificate and private key:
  1. Open the Microsoft Management Console (MMC) and add the Certificate Snap-in.
  2. Go to the user's certificate store to locate the sub CA certificate that you just installed.

  3. Right-click the certificate and select All Tasks > Export.
  4. Click Next to start the Microsoft Certificate Export Wizard.
  5. Follow the steps in the wizard:
    • When asked, select Yes, export the private key.
    • Only the PKCS #12 (.PFX) format is available, and it requires a password.
    • When selecting the encryption type, select TripleDES-SHA1 if you are using an older version of FortiOS (5.6.9 and earlier). Otherwise, select AES256-SHA256.

  6. Complete the wizard, and save the DPI certificate to a local folder.

Import the certificate and private key into the FortiGate

The certificate can be imported from the local computer using the GUI, or from a TFTP server using the CLI.

After importing the certificate, you can view it in the GUI to verify that it was successfully imported.

To import the certificate and private key into the FortiGate in the GUI:
  1. Go to System > Certificates and select Create/Import > Certificate.

  2. Click Import Certificate.

  3. Set Type to PKCS #12 Certificate.

  4. Click Upload, and locate the certificate on the management computer.

  5. Enter the password, then confirm the password.

  6. Optionally, customize the Certificate name.

  7. Click OK.

To import the certificate and private key into the FortiGate in the CLI:
execute vpn certificate local import tftp fsso2019subca-AES256.pfx <tftp_IP> p12 <password>
To verify that the certificate was imported:
  1. Go to System > Certificates.
  2. Locate the newly imported certificate in the table.
  3. Select the certificate and click View Details to view the certificate details.

Configure a firewall policy for DPI

The certificate is used in an SSL/SSH inspection profile that is then used in a firewall policy.

To configure a firewall policy for DPI:
  1. Go to Security Profiles > SSL/SSH Inspection and click Create New.
  2. Configure the inspection profile, selecting the new certificate

  3. Click Apply.
  4. Go to Policy & Objects > Firewall Policy.
  5. Create a new policy, or edit an existing policy.
  6. In the SSL Inspection field, select the new SSL inspection profile.

  7. Configure the remaining settings as needed.
  8. Click OK.

Verify that the sub CA certificate is being used for DPI

You can verify that the certificate is being used for resigning web server certificates when a user connects to an external HTTPS website.

To verify that the certificate is being used:
  1. On a client PC that is behind the FortiGate, go to an external HTTPS website.

    When connecting to the website, no certificate warning should be shown.

  2. In your web browser, view the certificate and certificate path.

    The methods for doing this vary depending on the browser. See your browsers documentation for information.

Microsoft CA deep packet inspection

Microsoft CA deep packet inspection

In most production environments, you want to use a certificate issued be your own PKI for deep packet inspection (DPI).

An existing Microsoft root CA can be used to issue a subordinate CA (sub CA) certificate that is installed as a DPI certificate on the FortiGate.

Complete the following steps to create your own sub CA certificate and use it for DPI:

  1. Create a Microsoft sub CA certificate
  2. Export the certificate and private key
  3. Import the certificate and private key into the FortiGate
  4. Configure a firewall policy for DPI
  5. Verify that the sub CA certificate is being used for DPI

The FortiGate firewall uses information in the original web server certificate, then issues a new certificate signed by the Microsoft DPI certificate. The FortiGate then sends this certificate with the issuing DPI certificate to the client's web browser when the SSL session is being established.

The browser verifies that the certificate was issued by a valid CA, then looks for the issuing CA of the Microsoft DPI certificate in its loca trusted root CA store to complete the path to trusted root CA.

The Microsoft CA root certificate is normally deployed to all client PCs in the Windows domain, so the client can complete the certificate path up to a trusted root CA. The FortiGate now controls and can inspect the two HTTPS sessions: one with the external web server, and one with the client PC.

Create a Microsoft sub CA certificate

A Microsoft sub CA certificate can be created on a Microsoft CA server, or remotely using a web browser.

Creating a certificate remotely requires that the web enrollment option is configured on the Microsoft CA server. Remote certificate requests require HTTPS; requests are not allowed with HTTP.

To create a Microsoft sub CA certificate remotely:
  1. Open a web browser and go to one of the following URLs:
    • https://<FQDN-CA-server>/CertSrv
    • https://<IP-CA-server>/CertSrv.
  2. Log in to a domain administrator account that has web enrollment rights.

  3. Click Request a certificate.
  4. Click advanced certificate request.

  5. Click Create and submit a request to this CA, then click Yes in the Web Access Confirmation warning.
  6. For the Certificate Template, select Subordinate Certification Authority.
  7. Enable Mark keys as exportable.
  8. Fill out the remaining information according to your security policy.

  9. Submit the request.
  10. Click Yes in the Web Access Confirmation warning.
  11. Click Install this certificate.

    The certificate and private key are located in the current user's certificate store.

Export the certificate and private key

To export the certificate and private key:
  1. Open the Microsoft Management Console (MMC) and add the Certificate Snap-in.
  2. Go to the user's certificate store to locate the sub CA certificate that you just installed.

  3. Right-click the certificate and select All Tasks > Export.
  4. Click Next to start the Microsoft Certificate Export Wizard.
  5. Follow the steps in the wizard:
    • When asked, select Yes, export the private key.
    • Only the PKCS #12 (.PFX) format is available, and it requires a password.
    • When selecting the encryption type, select TripleDES-SHA1 if you are using an older version of FortiOS (5.6.9 and earlier). Otherwise, select AES256-SHA256.

  6. Complete the wizard, and save the DPI certificate to a local folder.

Import the certificate and private key into the FortiGate

The certificate can be imported from the local computer using the GUI, or from a TFTP server using the CLI.

After importing the certificate, you can view it in the GUI to verify that it was successfully imported.

To import the certificate and private key into the FortiGate in the GUI:
  1. Go to System > Certificates and select Create/Import > Certificate.

  2. Click Import Certificate.

  3. Set Type to PKCS #12 Certificate.

  4. Click Upload, and locate the certificate on the management computer.

  5. Enter the password, then confirm the password.

  6. Optionally, customize the Certificate name.

  7. Click OK.

To import the certificate and private key into the FortiGate in the CLI:
execute vpn certificate local import tftp fsso2019subca-AES256.pfx <tftp_IP> p12 <password>
To verify that the certificate was imported:
  1. Go to System > Certificates.
  2. Locate the newly imported certificate in the table.
  3. Select the certificate and click View Details to view the certificate details.

Configure a firewall policy for DPI

The certificate is used in an SSL/SSH inspection profile that is then used in a firewall policy.

To configure a firewall policy for DPI:
  1. Go to Security Profiles > SSL/SSH Inspection and click Create New.
  2. Configure the inspection profile, selecting the new certificate

  3. Click Apply.
  4. Go to Policy & Objects > Firewall Policy.
  5. Create a new policy, or edit an existing policy.
  6. In the SSL Inspection field, select the new SSL inspection profile.

  7. Configure the remaining settings as needed.
  8. Click OK.

Verify that the sub CA certificate is being used for DPI

You can verify that the certificate is being used for resigning web server certificates when a user connects to an external HTTPS website.

To verify that the certificate is being used:
  1. On a client PC that is behind the FortiGate, go to an external HTTPS website.

    When connecting to the website, no certificate warning should be shown.

  2. In your web browser, view the certificate and certificate path.

    The methods for doing this vary depending on the browser. See your browsers documentation for information.