Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.6.0 Administration Guide
    7.6.0
    7.6.1
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Basic authentication with cached client certificates NEW

    Basic authentication with cached client certificates NEW

    With basic authentication, client certificates can be cached and used as authentication cookies, eliminating the need for repeated user authentication.

    In this example, a CA signs a client certificate. The client certificate is installed on two endpoints, and the root CA certificate is imported to FortiProxy.

    During the authentication process, the client certificate from the endpoint is verified against the CA certificate. Once this verification is successful, the user is prompted to enter login credentials for user authentication. Once authenticated, the client certificate is stored as an authentication cookie so that subsequent access does not require any user authentication as long as the client certificate remains present on the endpoint.

    To configure client certificates as authentication cookies:

    1. Prepare the certificate:

      1. Use a CA to sign the client certificate.

      2. Import the root CA certificate that signed the client certificate to FortiProxy.

      3. Install the client certificate on all endpoints.

    2. In FortiProxy, configure an authentication scheme to apply authentication against the local user database.

      config authentication scheme
					edit "test-ztna-basic"
					set method basic
					set user-database "local-user-db"
					next
				end

    3. Configure an authentication rule to enable the client certificate to be cached.

      config authentication rule
					edit "test-ztna-rules"
					set srcaddr "all"
					set ip-based disable
					set active-auth-method "test-ztna-basic"
					set cert-auth-cookie enable 
					next
				end

    4. Configure verification of the client certificate with the root CA.

      config authentication setting
					set user-cert-ca "Fortinet_CA_SSL"
				end

    When the user accesses a resource, such as a web site, for the first time:

    1. The browser prompts the user for a client certificate. The user selects the certificate and clicks OK. Then the endpoint device presents the client certificate to FortiProxy for verification.

    2. Once the certificate verification passes, an authentication dialog box is displayed.

    3. The user enters their username and password to authenticate with FortiProxy and successfully access the web site.

      FortiProxy also logs the first access in the traffic log:

      date=2024-09-24 time=10:51:14 eventtime=1727200273867863612 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.33 srcport=65460 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.1.25 dstport=8443 dstintf="port1" dstintfrole="undefined" sessionid=187004326 service="tcp/8443" proxyapptype="http" proto=6 action="accept" policyid=2 policytype="proxy-policy" poluuid="a98f9846-6f96-51ef-ceb1-1a3cf607c973" policyname="httptest" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.120.1.33 duration=0 vip="httpsvip" accessproxy="httpsvip" clientdevicemanageable="unknown" clientcert="yes" wanin=0 rcvdbyte=0 wanout=0 lanin=653 sentbyte=653 lanout=1930 fctuid="70A5C5FABBE64A9B98B6DDA3FE8AC794" unauthuser="usera" unauthusersource="forticlient" srcremote=207.102.138.19 appcat="unscanned"

    When the user accesses the resource from the same endpoint device for the second and subsequent times, FortiProxy uses the cached authentication cookie to grant access, as long as the client certificate remains present on the endpoint.

    When the user has multiple endpoint devices with the same certificate installed, the certificate will match the cached authentication cookie on the FortiProxy, and the user can access resources without additional authentication.

    This log shows a user accessing a website from a different PC (IP address 10.1.100.78) without needing to provide user credentials.

    date=2024-09-24 time=10:56:51 eventtime=1727200611445887844 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.35 srcport=49153 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.1.25 dstport=8443 dstintf="port1" dstintfrole="undefined" sessionid=187004406 service="tcp/8443" proxyapptype="http" proto=6 action="accept" policyid=2 policytype="proxy-policy" poluuid="a98f9846-6f96-51ef-ceb1-1a3cf607c973" policyname="httptest" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.120.1.35 duration=0 vip="httpsvip" accessproxy="httpsvip clientdevicemanageable="unknown" clientcert="yes" wanin=0 rcvdbyte=0 wanout=0 lanin=653 sentbyte=653 lanout=1930 fctuid="70A5C5FABBE64A9B98B6DDA3FE8AC794" unauthuser="usera" unauthusersource="forticlient" srcremote=207.102.138.19 appcat="unscanned"
    Previous
    Next

    Basic authentication with cached client certificates NEW

    Basic authentication with cached client certificates NEW

    With basic authentication, client certificates can be cached and used as authentication cookies, eliminating the need for repeated user authentication.

    In this example, a CA signs a client certificate. The client certificate is installed on two endpoints, and the root CA certificate is imported to FortiProxy.

    During the authentication process, the client certificate from the endpoint is verified against the CA certificate. Once this verification is successful, the user is prompted to enter login credentials for user authentication. Once authenticated, the client certificate is stored as an authentication cookie so that subsequent access does not require any user authentication as long as the client certificate remains present on the endpoint.

    To configure client certificates as authentication cookies:

    1. Prepare the certificate:

      1. Use a CA to sign the client certificate.

      2. Import the root CA certificate that signed the client certificate to FortiProxy.

      3. Install the client certificate on all endpoints.

    2. In FortiProxy, configure an authentication scheme to apply authentication against the local user database.

      config authentication scheme
					edit "test-ztna-basic"
					set method basic
					set user-database "local-user-db"
					next
				end

    3. Configure an authentication rule to enable the client certificate to be cached.

      config authentication rule
					edit "test-ztna-rules"
					set srcaddr "all"
					set ip-based disable
					set active-auth-method "test-ztna-basic"
					set cert-auth-cookie enable 
					next
				end

    4. Configure verification of the client certificate with the root CA.

      config authentication setting
					set user-cert-ca "Fortinet_CA_SSL"
				end

    When the user accesses a resource, such as a web site, for the first time:

    1. The browser prompts the user for a client certificate. The user selects the certificate and clicks OK. Then the endpoint device presents the client certificate to FortiProxy for verification.

    2. Once the certificate verification passes, an authentication dialog box is displayed.

    3. The user enters their username and password to authenticate with FortiProxy and successfully access the web site.

      FortiProxy also logs the first access in the traffic log:

      date=2024-09-24 time=10:51:14 eventtime=1727200273867863612 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.33 srcport=65460 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.1.25 dstport=8443 dstintf="port1" dstintfrole="undefined" sessionid=187004326 service="tcp/8443" proxyapptype="http" proto=6 action="accept" policyid=2 policytype="proxy-policy" poluuid="a98f9846-6f96-51ef-ceb1-1a3cf607c973" policyname="httptest" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.120.1.33 duration=0 vip="httpsvip" accessproxy="httpsvip" clientdevicemanageable="unknown" clientcert="yes" wanin=0 rcvdbyte=0 wanout=0 lanin=653 sentbyte=653 lanout=1930 fctuid="70A5C5FABBE64A9B98B6DDA3FE8AC794" unauthuser="usera" unauthusersource="forticlient" srcremote=207.102.138.19 appcat="unscanned"

    When the user accesses the resource from the same endpoint device for the second and subsequent times, FortiProxy uses the cached authentication cookie to grant access, as long as the client certificate remains present on the endpoint.

    When the user has multiple endpoint devices with the same certificate installed, the certificate will match the cached authentication cookie on the FortiProxy, and the user can access resources without additional authentication.

    This log shows a user accessing a website from a different PC (IP address 10.1.100.78) without needing to provide user credentials.

    date=2024-09-24 time=10:56:51 eventtime=1727200611445887844 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.120.1.35 srcport=49153 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.1.1.25 dstport=8443 dstintf="port1" dstintfrole="undefined" sessionid=187004406 service="tcp/8443" proxyapptype="http" proto=6 action="accept" policyid=2 policytype="proxy-policy" poluuid="a98f9846-6f96-51ef-ceb1-1a3cf607c973" policyname="httptest" trandisp="snat" transip=10.120.1.209 transport=0 clientip=10.120.1.35 duration=0 vip="httpsvip" accessproxy="httpsvip clientdevicemanageable="unknown" clientcert="yes" wanin=0 rcvdbyte=0 wanout=0 lanin=653 sentbyte=653 lanout=1930 fctuid="70A5C5FABBE64A9B98B6DDA3FE8AC794" unauthuser="usera" unauthusersource="forticlient" srcremote=207.102.138.19 appcat="unscanned"
    Previous
    Next