Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.6.6 Administration Guide
    7.6.6
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Microsoft CA deep packet inspection

    Microsoft CA deep packet inspection

    In most production environments, you want to use a certificate issued be your own PKI for deep packet inspection (DPI). This is due to the trust relationship involved with certificates and the access (trust) they are given. As such, it is extremely important to take precautions that these certificates are not misused and in the event that they are compromised, you retain the ability to revoke their validity.

    Microsoft PKI best practice utilizes a two-tier system where a Root CA signs a sub-CA (or Issuing CA, named after its role), and this Sub-CA is used to sign (sometimes referred to as generate) end-entity certificates, such as the certificate used by FortiGates for DPI. The purpose of this two tier system is to keep the Root CA offline so that the private key of the Root CA is better protected from being compromised.

    If a sub-CA becomes compromised, it can be removed from the PKI. If the Root CA becomes compromised, the entire PKI must be replaced. Therefore, the following steps take place on a sub-CA of the Root CA for your organization.

    Complete the following steps to create your own sub-CA certificate and use it for DPI:

    1. Create a Microsoft sub-CA certificate

    2. Export the certificate and private key

    3. Import the certificate and private key into the FortiGate

    4. Configure a firewall policy for DPI

    5. Verify that the sub CA certificate is being used for DPI

    The FortiGate firewall uses information in the original web server certificate (e.g. www.google.com), then issues a new certificate signed by the DPI certificate. The FortiGate then sends this new certificate along with the issuing DPI certificate to the client's web browser when the SSL session is being established.

    The browser verifies that the web server certificate (e.g.www.google.com) was issued by a valid CA, then looks for the issuing CA of the DPI certificate in its local trusted Root-CA store to complete the path to trusted Root-CA. In this case, the issuing CA is a sub-CA of the Root-CA. The end device will need a trust chain to ensure it understands that this sub-CA is approved by the Root-CA that the device trusts.

    The Root-CA certificate is normally deployed to all client PCs in the Windows domain, so the client can complete the certificate path up to a trusted root CA. Note that this is the public key of the Root-CA. The FortiGate now controls and can inspect the two HTTPS sessions: one with the external web server, and one with the client PC.

    Create a Microsoft sub-CA certificate

    A Microsoft sub-CA certificate can be created directly on a Microsoft sub-CA server, or remotely using a web browser.

    Creating a certificate remotely requires that the web enrollment option is configured on the Microsoft sub-CA server. Remote certificate requests require HTTPS; requests are not allowed with HTTP.

    To create a Microsoft sub CA certificate remotely:
    1. Open a web browser and go to one of the following URLs:
      • https://<FQDN-CA-server>/CertSrv
      • https://<IP-CA-server>/CertSrv
    2. Log in to a domain administrator account that has web enrollment rights.

    3. Click Request a certificate.
    4. Click advanced certificate request.

    5. Click Create and submit a request to this CA, then click Yes in the Web Access Confirmation warning.
    6. For the Certificate Template, select Subordinate Certification Authority.
    7. Enable Mark keys as exportable.
    8. Fill out the remaining information according to your security policy.

    9. Submit the request.
    10. Click Yes in the Web Access Confirmation warning.
    11. Click Install this certificate.

      The certificate and private key are located in the current user's certificate store.

    Export the certificate and private key

    To export the certificate and private key:
    1. Open the Microsoft Management Console (MMC) and add the Certificate Snap-in.
    2. Go to the user's certificate store to locate the sub CA certificate that you just installed.

    3. Right-click the certificate and select All Tasks > Export.
    4. Click Next to start the Microsoft Certificate Export Wizard.
    5. Follow the steps in the wizard:
      • When asked, select Yes, export the private key.
      • Only the PKCS #12 (.PFX) format is available, and it requires a password.
      • When selecting the encryption type, select TripleDES-SHA1 if you are using an older version of FortiOS (5.6.9 and earlier). Otherwise, select AES256-SHA256.

    6. Complete the wizard, and save the DPI certificate to a local folder.

    Import the certificate and private key into the FortiGate

    The certificate can be imported from the local computer using the GUI, or from a TFTP server using the CLI.

    After importing the certificate, you can view it in the GUI to verify that it was successfully imported.

    To import the certificate and private key into the FortiGate in the GUI:

    1. Go to System > Certificates and select Create/Import > Certificate.

    2. Click Import Certificate.

    3. Set Type to PKCS #12 Certificate.

    4. Click Upload, and locate the certificate on the management computer.

    5. Enter the password, then confirm the password.

    6. Optionally, customize the Certificate name.

    7. Click OK.

    To import the certificate and private key into the FortiGate in the CLI:
    execute vpn certificate local import tftp fsso2019subca-AES256.pfx <tftp_IP> p12 <password>
    To verify that the certificate was imported:
    1. Go to System > Certificates.
    2. Locate the newly imported certificate in the table.
    3. Select the certificate and click View Details to view the certificate details.

    Configure a firewall policy for DPI

    The certificate is used in an SSL/SSH inspection profile that is then used in a firewall policy.

    To configure a firewall policy for DPI:
    1. Go to Security Profiles > SSL/SSH Inspection and click Create New.
    2. Configure the inspection profile, selecting the new certificate

    3. Click Apply.
    4. Go to Policy & Objects > Firewall Policy.
    5. Create a new policy, or edit an existing policy.
    6. In the SSL Inspection field, select the new SSL inspection profile.

    7. Configure the remaining settings as needed.
    8. Click OK.

    Verify that the sub CA certificate is being used for DPI

    You can verify that the certificate is being used for resigning web server certificates when a user connects to an external HTTPS website.

    To verify that the certificate is being used:
    1. On a client PC that is behind the FortiGate, go to an external HTTPS website.

      When connecting to the website, no certificate warning should be shown.

    2. In your web browser, view the certificate and certificate path.

      The methods for doing this vary depending on the browser. See your browsers documentation for information.

    Previous
    Next

    Microsoft CA deep packet inspection

    Microsoft CA deep packet inspection

    In most production environments, you want to use a certificate issued be your own PKI for deep packet inspection (DPI). This is due to the trust relationship involved with certificates and the access (trust) they are given. As such, it is extremely important to take precautions that these certificates are not misused and in the event that they are compromised, you retain the ability to revoke their validity.

    Microsoft PKI best practice utilizes a two-tier system where a Root CA signs a sub-CA (or Issuing CA, named after its role), and this Sub-CA is used to sign (sometimes referred to as generate) end-entity certificates, such as the certificate used by FortiGates for DPI. The purpose of this two tier system is to keep the Root CA offline so that the private key of the Root CA is better protected from being compromised.

    If a sub-CA becomes compromised, it can be removed from the PKI. If the Root CA becomes compromised, the entire PKI must be replaced. Therefore, the following steps take place on a sub-CA of the Root CA for your organization.

    Complete the following steps to create your own sub-CA certificate and use it for DPI:

    1. Create a Microsoft sub-CA certificate

    2. Export the certificate and private key

    3. Import the certificate and private key into the FortiGate

    4. Configure a firewall policy for DPI

    5. Verify that the sub CA certificate is being used for DPI

    The FortiGate firewall uses information in the original web server certificate (e.g. www.google.com), then issues a new certificate signed by the DPI certificate. The FortiGate then sends this new certificate along with the issuing DPI certificate to the client's web browser when the SSL session is being established.

    The browser verifies that the web server certificate (e.g.www.google.com) was issued by a valid CA, then looks for the issuing CA of the DPI certificate in its local trusted Root-CA store to complete the path to trusted Root-CA. In this case, the issuing CA is a sub-CA of the Root-CA. The end device will need a trust chain to ensure it understands that this sub-CA is approved by the Root-CA that the device trusts.

    The Root-CA certificate is normally deployed to all client PCs in the Windows domain, so the client can complete the certificate path up to a trusted root CA. Note that this is the public key of the Root-CA. The FortiGate now controls and can inspect the two HTTPS sessions: one with the external web server, and one with the client PC.

    Create a Microsoft sub-CA certificate

    A Microsoft sub-CA certificate can be created directly on a Microsoft sub-CA server, or remotely using a web browser.

    Creating a certificate remotely requires that the web enrollment option is configured on the Microsoft sub-CA server. Remote certificate requests require HTTPS; requests are not allowed with HTTP.

    To create a Microsoft sub CA certificate remotely:
    1. Open a web browser and go to one of the following URLs:
      • https://<FQDN-CA-server>/CertSrv
      • https://<IP-CA-server>/CertSrv
    2. Log in to a domain administrator account that has web enrollment rights.

    3. Click Request a certificate.
    4. Click advanced certificate request.

    5. Click Create and submit a request to this CA, then click Yes in the Web Access Confirmation warning.
    6. For the Certificate Template, select Subordinate Certification Authority.
    7. Enable Mark keys as exportable.
    8. Fill out the remaining information according to your security policy.

    9. Submit the request.
    10. Click Yes in the Web Access Confirmation warning.
    11. Click Install this certificate.

      The certificate and private key are located in the current user's certificate store.

    Export the certificate and private key

    To export the certificate and private key:
    1. Open the Microsoft Management Console (MMC) and add the Certificate Snap-in.
    2. Go to the user's certificate store to locate the sub CA certificate that you just installed.

    3. Right-click the certificate and select All Tasks > Export.
    4. Click Next to start the Microsoft Certificate Export Wizard.
    5. Follow the steps in the wizard:
      • When asked, select Yes, export the private key.
      • Only the PKCS #12 (.PFX) format is available, and it requires a password.
      • When selecting the encryption type, select TripleDES-SHA1 if you are using an older version of FortiOS (5.6.9 and earlier). Otherwise, select AES256-SHA256.

    6. Complete the wizard, and save the DPI certificate to a local folder.

    Import the certificate and private key into the FortiGate

    The certificate can be imported from the local computer using the GUI, or from a TFTP server using the CLI.

    After importing the certificate, you can view it in the GUI to verify that it was successfully imported.

    To import the certificate and private key into the FortiGate in the GUI:

    1. Go to System > Certificates and select Create/Import > Certificate.

    2. Click Import Certificate.

    3. Set Type to PKCS #12 Certificate.

    4. Click Upload, and locate the certificate on the management computer.

    5. Enter the password, then confirm the password.

    6. Optionally, customize the Certificate name.

    7. Click OK.

    To import the certificate and private key into the FortiGate in the CLI:
    execute vpn certificate local import tftp fsso2019subca-AES256.pfx <tftp_IP> p12 <password>
    To verify that the certificate was imported:
    1. Go to System > Certificates.
    2. Locate the newly imported certificate in the table.
    3. Select the certificate and click View Details to view the certificate details.

    Configure a firewall policy for DPI

    The certificate is used in an SSL/SSH inspection profile that is then used in a firewall policy.

    To configure a firewall policy for DPI:
    1. Go to Security Profiles > SSL/SSH Inspection and click Create New.
    2. Configure the inspection profile, selecting the new certificate

    3. Click Apply.
    4. Go to Policy & Objects > Firewall Policy.
    5. Create a new policy, or edit an existing policy.
    6. In the SSL Inspection field, select the new SSL inspection profile.

    7. Configure the remaining settings as needed.
    8. Click OK.

    Verify that the sub CA certificate is being used for DPI

    You can verify that the certificate is being used for resigning web server certificates when a user connects to an external HTTPS website.

    To verify that the certificate is being used:
    1. On a client PC that is behind the FortiGate, go to an external HTTPS website.

      When connecting to the website, no certificate warning should be shown.

    2. In your web browser, view the certificate and certificate path.

      The methods for doing this vary depending on the browser. See your browsers documentation for information.

    Previous
    Next