FortiGuard third party SSL validation and anycast support
You can enable anycast to optimize the routing performance to FortiGuard servers. Relying on Fortinet DNS servers, the FortiGate will get a single IP address for the domain name of each FortiGuard service. BGP routing optimization is transparent to the FortiGate. The domain name of each FortiGuard service is the common name in that service's certificate. The certificate is signed by a third party intermediate CA. The FortiGuard server uses the Online Certificate Status Protocol (OCSP) stapling technique, so that the FortiGate can always validate the FortiGuard server certificate efficiently.
To enable anycast in the FortiGuard settings:
config system fortiguard set protocol https set port 443 set fortiguard-anycast enable set fortiguard-anycast-source fortinet end
After anycast is enabled, the FortiGuard settings will enforce a connection using HTTPS and port 443.
HTTPS/443 is only supported on anycast servers. When
Connecting to the FortiGuard
The FortiGate will only complete the TLS handshake with a FortiGuard that provides a good OCSP status for its certificate. Any other status will result in a failed SSL connection. OCSP stapling is reflected on the signature interval (currently, 24 hours) so that good means that the certificate is not revoked at that timestamp. The FortiGuard servers query the CA's OCSP responder every four hours and update its OCSP status. If the FortiGuard is unable to reach the OCSP responder, it will keep the last known OCSP status for seven days. This cached OCSP status will be sent out immediately when a client connection request is made, thus optimizing the response time.
The following steps are taken to connect to FortiGuard:
- The FortiGate embeds the CA_bundle certificate, which includes the root CA with CRL list and third party intermediate CA, in the root CA level.
- The FortiGate finds the FortiGuard IP address from its domain name from DNS:
- The FortiGate starts a TLS handshake with the FortiGuard IP address. The client hello includes an extension of the status request.
- The FortiGuard servers provide a certificate with its OCSP status: good, revoked, or unknown.
- The FortiGate verifies the CA chain against the root CA in the CA_bundle.
- The FortiGate verifies the intermediate CA's revoke status against the root CA's CRL.
- The FortiGate verifies the FortiGuard certificate's OCSP status:
OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 3DD350A5D6A0ADEEF34A600A65D321D4F8F8D60F Produced At: Aug 20 07:50:58 2019 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 49F4BD8A18BF760698C5DE402D683B716AE4E686 Issuer Key Hash: 3DD350A5D6A0ADEEF34A600A65D321D4F8F8D60F Serial Number: 02555C9F3901B799DF1873402FA9392D Cert Status: good This Update: Aug 20 07:50:58 2019 GMT Next Update: Aug 27 07:05:58 2019 GMT
Using FortiManager as local FortiGuard server
FortiManager can provide a local FortiGuard server with port 443 access.
Anycast FortiGuard settings force the rating process to use port 443, even with an override server. Using a unique address in the same subnet as the FortiManager access IP address, the FortiManager can provide local FortiGuard updates and rating access with a dedicated IP address and port 443.
To use a FortiManager as a local FortiGuard server:
config system central-management set type fortimanager set fmg "172.18.37.148" config server-list edit 1 set server-type update set server-address 172.18.37.150 next edit 2 set server-type rating set server-address 172.18.37.149 next end set fmg-update-port 443 set include-default-servers enable end
fmg-update-port is set to
443, the update process will use port 443 to connect to the override update server, which is the local FortiGuard server in the FortiManager. If this is not set, the update process will use port 8890, and the server address setting has to be the FortiManager access IP address. Override FortiGuard services come from the server list that is the local FortiGuard server in the FortiManager, and use the traditional, non-OCSP TLS handshake. If override servers in the FortiManager are not available, the default FortiGuard servers are connected, and the anycast OCSP TLS handshake is used.