Fortinet black logo

Administration Guide

FDN third-party SSL validation and Anycast support

FDN third-party SSL validation and Anycast support

You can enable Anycast to optimize the routing performance to FortiGuard servers. Relying on Fortinet DNS servers, FortiManager obtains a single IP address for the domain name of each FortiGuard service. BGP routing optimization is transparent to FortiManager. The domain name of each FortiGuard service is the common name in that service's certificate. The certificate is signed by a third-party intermediate CA. The FortiGuard server uses the Online Certificate Status Protocol (OCSP) stapling technique, enabling FortiManager to always validate the FortiGuard server certificate efficiently.

When Anycast is enabled, FortiManager only completes the TLS handshake with a FortiGuard server that provides a good OCSP status for its certificate. Any other status will result in a failed SSL connection. OCSP stapling is reflected on the signature interval (currently, 24 hours), and good means that the certificate is not revoked at that timestamp. The FortiGuard servers query the CA's OCSP responder every four hours and update its OCSP status. If the FortiGuard server is unable to reach the OCSP responder, it keeps the last known OCSP status for seven days. This cached OCSP status is immediately sent out when a client connection request is made, which optimizes the response time.

To enable Anycast support:
  1. Enable Anycast support

    config fmupdate fds-setting

    (fds-setting)# set fortiguard-anycast enable

    (fds-setting)# end

  2. (Optional) Specify an authorized mirror server hosted by AWS for better performance.

    config fmupdate fds-setting

    (fds-setting)# set fortiguard-anycast-source {aws | fortinet}

    (fds-setting)# end

FDN third-party SSL validation and Anycast support

You can enable Anycast to optimize the routing performance to FortiGuard servers. Relying on Fortinet DNS servers, FortiManager obtains a single IP address for the domain name of each FortiGuard service. BGP routing optimization is transparent to FortiManager. The domain name of each FortiGuard service is the common name in that service's certificate. The certificate is signed by a third-party intermediate CA. The FortiGuard server uses the Online Certificate Status Protocol (OCSP) stapling technique, enabling FortiManager to always validate the FortiGuard server certificate efficiently.

When Anycast is enabled, FortiManager only completes the TLS handshake with a FortiGuard server that provides a good OCSP status for its certificate. Any other status will result in a failed SSL connection. OCSP stapling is reflected on the signature interval (currently, 24 hours), and good means that the certificate is not revoked at that timestamp. The FortiGuard servers query the CA's OCSP responder every four hours and update its OCSP status. If the FortiGuard server is unable to reach the OCSP responder, it keeps the last known OCSP status for seven days. This cached OCSP status is immediately sent out when a client connection request is made, which optimizes the response time.

To enable Anycast support:
  1. Enable Anycast support

    config fmupdate fds-setting

    (fds-setting)# set fortiguard-anycast enable

    (fds-setting)# end

  2. (Optional) Specify an authorized mirror server hosted by AWS for better performance.

    config fmupdate fds-setting

    (fds-setting)# set fortiguard-anycast-source {aws | fortinet}

    (fds-setting)# end