Fortinet black logo

Cookbook

FortiGuard third party SSL validation and anycast support

Copy Link
Copy Doc ID 30be976a-bbb3-11ee-8673-fa163e15d75b:734277
Download PDF

FortiGuard third party SSL validation and anycast support

You can enable anycast to optimize the routing performance to FortiGuard servers. Relying on Fortinet DNS servers, the FortiGate will get a single IP address for the domain name of each FortiGuard service. BGP routing optimization is transparent to the FortiGate. The domain name of each FortiGuard service is the common name in that service's certificate. The certificate is signed by a third party intermediate CA. The FortiGuard server uses the Online Certificate Status Protocol (OCSP) stapling technique, so that the FortiGate can always validate the FortiGuard server certificate efficiently.

To enable anycast in the FortiGuard settings:
config system fortiguard
    set protocol https
    set port 443
    set fortiguard-anycast enable
    set fortiguard-anycast-source fortinet
end

After anycast is enabled, the FortiGuard settings will enforce a connection using HTTPS and port 443.

Note

HTTPS/443 is only supported on anycast servers. When fortiguard-anycast is disabled, use HTTPS/8888 or HTTPS/53.

Connecting to the FortiGuard

The FortiGate will only complete the TLS handshake with a FortiGuard that provides a good OCSP status for its certificate. Any other status will result in a failed SSL connection. OCSP stapling is reflected on the signature interval (currently, 24 hours) so that good means that the certificate is not revoked at that timestamp. The FortiGuard servers query the CA's OCSP responder every four hours and update its OCSP status. If the FortiGuard is unable to reach the OCSP responder, it will keep the last known OCSP status for seven days. This cached OCSP status will be sent out immediately when a client connection request is made, thus optimizing the response time.

The following steps are taken to connect to FortiGuard:
  1. The FortiGate embeds the CA_bundle certificate, which includes the root CA with CRL list and third party intermediate CA, in the root CA level.
  2. The FortiGate finds the FortiGuard IP address from its domain name from DNS:
    fds=qaupdate.fortinet.net-192.168.100.242
  3. The FortiGate starts a TLS handshake with the FortiGuard IP address. The client hello includes an extension of the status request.
  4. The FortiGuard servers provide a certificate with its OCSP status: good, revoked, or unknown.
  5. The FortiGate verifies the CA chain against the root CA in the CA_bundle.
  6. The FortiGate verifies the intermediate CA's revoke status against the root CA's CRL.
  7. The FortiGate verifies the FortiGuard certificate's OCSP status:
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: 3DD350A5D6A0ADEEF34A600A65D321D4F8F8D60F
        Produced At: Aug 20 07:50:58 2019 GMT
        Responses:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 49F4BD8A18BF760698C5DE402D683B716AE4E686
          Issuer Key Hash: 3DD350A5D6A0ADEEF34A600A65D321D4F8F8D60F
          Serial Number: 02555C9F3901B799DF1873402FA9392D
        Cert Status: good
        This Update: Aug 20 07:50:58 2019 GMT
        Next Update: Aug 27 07:05:58 2019 GMT

Using FortiManager as local FortiGuard server

FortiManager can provide a local FortiGuard server with port 443 access.

Anycast FortiGuard settings force the rating process to use port 443, even with an override server. Using a unique address in the same subnet as the FortiManager access IP address, the FortiManager can provide local FortiGuard updates and rating access with a dedicated IP address and port 443.

To use a FortiManager as a local FortiGuard server:
config system central-management
    set type fortimanager
    set fmg "172.18.37.148"
    config server-list
        edit 1
            set server-type update
            set server-address 172.18.37.150
        next
        edit 2
            set server-type rating
            set server-address 172.18.37.149
        next
    end
    set fmg-update-port 443
    set include-default-servers enable
end

When fmg-update-port is set to 443, the update process will use port 443 to connect to the override update server, which is the local FortiGuard server in the FortiManager. If this is not set, the update process will use port 8890, and the server address setting has to be the FortiManager access IP address. Override FortiGuard services come from the server list that is the local FortiGuard server in the FortiManager, and use the traditional, non-OCSP TLS handshake. If override servers in the FortiManager are not available, the default FortiGuard servers are connected, and the anycast OCSP TLS handshake is used.

FortiGuard third party SSL validation and anycast support

You can enable anycast to optimize the routing performance to FortiGuard servers. Relying on Fortinet DNS servers, the FortiGate will get a single IP address for the domain name of each FortiGuard service. BGP routing optimization is transparent to the FortiGate. The domain name of each FortiGuard service is the common name in that service's certificate. The certificate is signed by a third party intermediate CA. The FortiGuard server uses the Online Certificate Status Protocol (OCSP) stapling technique, so that the FortiGate can always validate the FortiGuard server certificate efficiently.

To enable anycast in the FortiGuard settings:
config system fortiguard
    set protocol https
    set port 443
    set fortiguard-anycast enable
    set fortiguard-anycast-source fortinet
end

After anycast is enabled, the FortiGuard settings will enforce a connection using HTTPS and port 443.

Note

HTTPS/443 is only supported on anycast servers. When fortiguard-anycast is disabled, use HTTPS/8888 or HTTPS/53.

Connecting to the FortiGuard

The FortiGate will only complete the TLS handshake with a FortiGuard that provides a good OCSP status for its certificate. Any other status will result in a failed SSL connection. OCSP stapling is reflected on the signature interval (currently, 24 hours) so that good means that the certificate is not revoked at that timestamp. The FortiGuard servers query the CA's OCSP responder every four hours and update its OCSP status. If the FortiGuard is unable to reach the OCSP responder, it will keep the last known OCSP status for seven days. This cached OCSP status will be sent out immediately when a client connection request is made, thus optimizing the response time.

The following steps are taken to connect to FortiGuard:
  1. The FortiGate embeds the CA_bundle certificate, which includes the root CA with CRL list and third party intermediate CA, in the root CA level.
  2. The FortiGate finds the FortiGuard IP address from its domain name from DNS:
    fds=qaupdate.fortinet.net-192.168.100.242
  3. The FortiGate starts a TLS handshake with the FortiGuard IP address. The client hello includes an extension of the status request.
  4. The FortiGuard servers provide a certificate with its OCSP status: good, revoked, or unknown.
  5. The FortiGate verifies the CA chain against the root CA in the CA_bundle.
  6. The FortiGate verifies the intermediate CA's revoke status against the root CA's CRL.
  7. The FortiGate verifies the FortiGuard certificate's OCSP status:
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: 3DD350A5D6A0ADEEF34A600A65D321D4F8F8D60F
        Produced At: Aug 20 07:50:58 2019 GMT
        Responses:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 49F4BD8A18BF760698C5DE402D683B716AE4E686
          Issuer Key Hash: 3DD350A5D6A0ADEEF34A600A65D321D4F8F8D60F
          Serial Number: 02555C9F3901B799DF1873402FA9392D
        Cert Status: good
        This Update: Aug 20 07:50:58 2019 GMT
        Next Update: Aug 27 07:05:58 2019 GMT

Using FortiManager as local FortiGuard server

FortiManager can provide a local FortiGuard server with port 443 access.

Anycast FortiGuard settings force the rating process to use port 443, even with an override server. Using a unique address in the same subnet as the FortiManager access IP address, the FortiManager can provide local FortiGuard updates and rating access with a dedicated IP address and port 443.

To use a FortiManager as a local FortiGuard server:
config system central-management
    set type fortimanager
    set fmg "172.18.37.148"
    config server-list
        edit 1
            set server-type update
            set server-address 172.18.37.150
        next
        edit 2
            set server-type rating
            set server-address 172.18.37.149
        next
    end
    set fmg-update-port 443
    set include-default-servers enable
end

When fmg-update-port is set to 443, the update process will use port 443 to connect to the override update server, which is the local FortiGuard server in the FortiManager. If this is not set, the update process will use port 8890, and the server address setting has to be the FortiManager access IP address. Override FortiGuard services come from the server list that is the local FortiGuard server in the FortiManager, and use the traditional, non-OCSP TLS handshake. If override servers in the FortiManager are not available, the default FortiGuard servers are connected, and the anycast OCSP TLS handshake is used.