Scribd
Upload
332 views15 pages

LAB 06 Certificate Operations

Fortigate Labs 7.4

Uploaded by

hedilon740
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
332 views15 pages

LAB 06 Certificate Operations

Fortigate Labs 7.4

Uploaded by

hedilon740
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Lab 6: Certificate Operations

Sumário
Lab 6: Certificate Operations ...................................................................................................................... 3
Objectives.......................................................................................................................................... 3
Configure SSL Inspection .................................................................................................................... 4
Enable SSL Inspection in a Firewall Policy ............................................................................................. 6
Install the Fortinet_CA_SSL Certificate ................................................................................................. 6
To install the Fortinet_CA_SSL certificate in the browser ........................................................................ 8
Test Full SSL Inspection ..................................................................................................................... 10
Dealing With Anomalies .................................................................................................................... 11
To block an invalid certificate with SSL full inspection .......................................................................... 13
To review SSL log messages ............................................................................................................... 13
Allow Exceptions to SSL Full Inspection .............................................................................................. 15

2
Lab 6: Certificate Operations
In this lab, you will configure full SSL inspection using a self-signed SSL certificate on FortiGate to inspect
outbound traffic. Next, you will review some situations that prevent full SSL inspection, and implement
workarounds. Finally, you will learn how to deal with some certificate anomalies.

Objectives
• Configure and enable full SSL inspection on outbound traffic
• Deal with certificate anomalies

Time to Complete

Estimated: 40 minutes

3
Exercise 1: Configuring Full SSL Inspection on Outbound Traffic

Full SSL inspection on outbound traffic allows FortiGate to inspect encrypted internet traffic and apply security
profiles to that traffic. It protects your network and end users from potential malware that could come from
secure websites, like HTTPS websites, that internal users visit. FortiGate employs a man-in-the-middle (MITM)
technique to inspect the traffic and apply security profiles, such as antivirus, web filter, and application control.

In this exercise, you will configure and enable full SSL inspection on all outbound traffic.

Configure SSL Inspection


By default, FortiGate includes four security profiles for SSL/SSH inspection: certificate-inspection, custom-
deep-inspection, deep-inspection, and no-inspection. You can modify the settings for the custom-deep-
inspection profile only or create a personalized profile. The other profiles are read-only. Because this exercise
involves configuring full SSL inspection on FortiGate, you will configure a new SSL/SSH inspection profile for
this purpose.

To configure SSL inspection


1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.

2. Click Security Profiles > SSL/SSH Inspection.

3. Click Create New to create a new profile.

4. In the Name field, type Custom_Full_Inspection.

5. In the SSL Inspection Options section, verify that the following settings are configured (default values):

Field Value

Enable SSL inspection of Multiple Clients Connecting to Multiple


Servers

Inspection method Full SSL Inspection

CA certificate Fortinet_CA_SSL

4
6. Scroll down to the bottom of the page, and then in the Common Options section, do the following:

• In the Invalid SSL certificates field, select Custom.

• Confirm that the other settings are configured as shown in the following image (default values):

7. Click OK.

5
Enable SSL Inspection in a Firewall Policy
You must enable SSL inspection in a firewall policy to start inspecting SSL traffic. In this policy, you will use SSL
inspection associated with web filtering. For the purposes of this lab, you will enable the default web filter
security profile.

To enable SSL inspection in a firewall policy


1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.

2. Edit the Full_Access firewall policy.

3. In the Security Profiles section, enable the following security profiles:

Security Profile Value

Web Filter default

SSL Inspection Custom_Full_Inspection

This is the profile you created previously.

4. In the Logging Options section, enable Log Allowed Traffic, and then select All Sessions.

5. Click OK.

FortiGate displays a warning message to highlight that full SSL inspection is activated and might trigger
warnings in users' browsers.

6. Read the warning message, and then click OK.

Install the Fortinet_CA_SSL Certificate


FortiGate includes an SSL certificate, named Fortinet_CA_SSL, that you can use for full SSL inspection. The SSL
inspection profile you created in the previous step uses it. This certificate is signed by a certificate authority
(CA) named FortiGate CA, which is not public. Because the CA is not public, each time a user connects to a
secure website, the browser displays a certificate warning. This is because the browser receives traffic
encrypted by certificates signed by FortiGate, using a CA it does not know and trust.

You can avoid this warning by downloading the Fortinet_CA_SSL certificate and installing it on all workstations
as a public authority.

You will first test access to a secure website without the Fortinet_CA_SSL certificate installed in the browser.
Then, you will install the Fortinet_CA_SSL certificate in the browser and test access to the secure website
again.

6
To test full SSL inspection without a trusted CA
1. Connect to the Local-Client VM, and then log in with the username Administrator and
password password.

2. Open a browser, and then go to an HTTPS site, such as:

https://www.goto.com

3. Notice the certificate warning.

This warning appears because the browser receives certificates signed by the FortiGate CA private key, and the
corresponding CA certificate is not in the certificate store of the Local-Client VM.

4. Click Advanced, and then click View Certificate.

You can see that the certificate is issued by Fortinet (Issuer Name), and that it is valid. The subject alternative
names list includes a reference to the website you visited (goto.com, in our example).

5. Do not click Accept the Risk and Continue.

6. Leave the browser tab open, and then continue to the next procedure.

7
To install the Fortinet_CA_SSL certificate in the browser
1. On the Local-Client, open a new browser tab, and then log in to the Local-FortiGate GUI
at 10.0.1.254 with the username admin and password password.

This time, you might see a warning because the FortiGate GUI presented a certificate signed by a CA that your
browser doesn't trust.

2. If you get the warning message, click Advanced, and then click Accept the Risk and Continue.

3. Click System > Certificates.

4. In the Local CA Certificate section, click Fortinet_CA_SSL, and then click Download.

The browser downloads the certificate to the Downloads folder of your Local-Client VM.

5. Continuing in Firefox, in the upper-right corner, click the Open menu icon, and then click Settings.

8
6. Click Privacy & Security.

7. In the Certificates section, click View Certificates.

8. In the Certificate Manager window, click the Authorities tab.

You can see a list of certificates from the public CA. They are loaded by default in your browser.

9. Click Import.

10. In the Downloads folder, click Fortinet_CA_SSL.cer, and then click Select.

11. In the Downloading Certificate window, select Trust this CA to identify websites, and then click OK.

The Fortinet_CA_SSL certificate is added to the Firefox Authorities certificate store.

You can scroll down to see it in the list of authority certificates.

12. Click OK to exit the Certificate Manager.

13. Restart Firefox.


9
Test Full SSL Inspection
Now that you have imported the Fortinet_CA_SSL certificate into your browser, you will not receive certificate
warnings when you access a secure website.

The CA that signed this certificate is not public, but your browser trusts it, because you added it as a trusted
authority in the previous procedure.

To test SSL full inspection


1. Continuing on the Local-Client VM, open a new browser session, and then go to a secure website, such
as:

https://www.goto.com

This time, your browser opens the website without certificate warnings.

2. In the browser navigation bar, hover over the lock icon to see details.

You can see that the certificate is signed by Fortinet CA, and that the browser considers it valid.

3. Close the browser.

LAB-6 > Configuring Full SSL Inspection on Outbound Traffic

10
Dealing With Anomalies
When you work with certificates, you might face some issues due to invalid or revoked certificates. You might
also have to deal with restrictions that prevent the use of full SSL inspection.

In this exercise, you will learn how to import a certificate revocation list (CRL) on the FortiGate GUI. Next, you
will explore how FortiGate responds when it receives invalid certificates for traffic that match a deep inspection
SSL profile. Finally, you will configure an exception to exclude a website from SSL full inspection.

Manage Invalid Certificates


A certificate can be invalid because it expired or because the CA that issued it revoked it. A company might
want to revoke a certificate because it was compromised, the key was lost, or, for example, because it was
assigned to a user who left the company. To inform others of revoked certificates, CA administrators
periodically publish CRLs. You will import a CRL.

To import a CRL
1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.

2. Click System > Certificates.

3. In the Remote CA Certificate section, right-click the Fortinet_Wifi_CA certificate, and then
select View Details.

4. Scroll down to the Extensions section, and look for X509v3 CRL Distribution Points.

5. Highlight one of the URIs, and then press Ctrl+C to copy it for the distribution point.

1. Click Close to exit the Certificate Details window.

2. Click Create/Import > CRL.

1. Enable HTTP, and then paste the URI of the CRL HTTP server that you just copied.

11
1. Click OK.

The FortiGate GUI briefly displays an acknowledgment message similar to the following example:

1. Wait a few seconds, and then click System > Certificates again to refresh the page.

The CRL section now includes the CRL you just added.

Note that you can load CRLs on the FortiGate only for a CA that FortiGate trusts.
If you want to load the CRL that corresponds to your company CA, you must first
load your company CA certificate on FortiGate.

The Online Certificate Status Protocol (OCSP) is used for obtaining the
revocation status of an X.509 digital certificate. It can be used as an alternative
to CRLs. OCSP is disabled by default on FortiGate.

In this lab, we activated OCSP using the CLI commands shown below to receive
certificate validation from well-known CAs that support OCSP.

config vpn certificate setting

set ocsp-option certificate

set ocsp-status enable

set strict-ocsp-check enable

end

12
To block an invalid certificate with SSL full inspection
1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.

2. Select the Full_Access policy, and then click Edit.

3. Scroll down to the Security Profiles section, and then click the pen icon to edit the SSL
Inspection profile Custom_Full_Inspection.

4. Confirm that the settings are the same as what is shown in the following image:

1. Do not make any changes, and then click Cancel to exit the SSL inspection profile menu.

2. Click Cancel to exit the policy configuration menu.

3. Connect to the Local-Client VM, and then log in with the username Administrator and
password password.

4. Open a browser, and then visit https://revoked.badssl.com/.

5. In another browser tab, visit https://expired.badssl.com/.

FortiGate blocks access to the website and the browser displays a warning message similar to the following
image:

To review SSL log messages


1. Continuing on the Local-FortiGate GUI, click Log & Report > Security Events.

2. Expand the SSL widget to display the log list.

You can see that FortiGate blocked access to the website.

13
1. Double-click a log message to review the details.

You can see that the log message is similar for expired and revoked certificates.

14
Allow Exceptions to SSL Full Inspection
When replacing a certificate prevents users from accessing some websites, you can define exceptions and
exclude some websites from full SSL inspection. You can also exclude some websites or website categories
from full SSL inspection for legal reasons. For example, in some countries, it is forbidden to perform deep
inspection on traffic between users and financial institution servers.

You will add an exception to the SSL/SSH deep inspection profile that you have already configured.

To configure a site exception to SSL full inspection


1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click Security Profiles > SSL/SSH Inspection.
3. Edit the Custom_Full_Inspection profile.
4. In the Exempt from SSL Inspection section, click + to create new Addresses.
5. Create a new address object with the following parameters:

New Address Value

Name Badssl

Type Subnet

IP/Netmask 104.154.89.105/32

1. Click OK.
2. In the SSL/SSH inspection profile, select the newly created address object badssl.
3. Click OK to save the configuration change of the SSL/SSH inspection profile.
4. Click Policy & Objects > Firewall Policy.
5. Edit the Full_Access policy and set Custom_Full_Inspection as the SSL inspection profile.
6. Click OK.
To check the SSL full inspection exception
1. On the Local-Client VM, navigate to one of the websites you tested previously:

• https://revoked.badssl.com/.

• https://expired.badssl.com/.

1. Click Advanced, and then click Accept the Risk and Continue to accept the browser warning.

Now, you can visit the website.

Usually, you will configure SSL full inspection exceptions only for websites that
do not support MITM and that your company trusts. Those websites should have
a valid certificate and therefore do not trigger a browser warning.

15

You might also like