FortiGate OCSP Integration

 Problem

Especially in the VPN area, certificates are increasingly used for authentication. But what happens if such a certificate is revoked? How does FortiGate ensure that such a certificate can no longer be used?

Solution

With OCSP it is possible to check live whether a certificate is still valid or not.
For this purpose, when using the certificate, the certification authority is queried via an API whether the certificate used is still valid or has been withdrawn for some reason.
The certificate status at the certification authority is checked and not the expiration date or similar.

CRL vs. OSCP

CRL lists are cached on the system. OCSP is queried live via the certificate authority and thus receives a real-time response. Furthermore, OCSP does not need to check the complete CRL list, but directly requests the required certificate.
What can be a disadvantage for websites with a lot of traffic (a lot of traffic at the OCSP server) is a big advantage for the SSL-VPN security.

Configuration

The configuration between FortiGate and FortiAuthenticator is as follows:

Windows CA

Mostly a Windows CA is used as a certificate authority for machine or user certificates.
Here is a very good tutorial on how to configure the Windows server as an OCSP server.


FortiAuthenticator

OCSP must be enabled on the corresponding interface:


FortiGate

config vpn certificate ocsp-server
    edit "FAC_ocsp"
        set url "http://172.16.51.12:2560"
        set cert "FAC_CA_Cert"
    next
end
config vpn certificate settings
    set ocsp-status enable
    set ocsp-option server
    set ocsp-default-server FAC_ocsp
    sat strict-ocsp-check disable
end
  • url: URL to the OCSP Server Endpoint (FortiAuthenticator is Port 2560)
  • cert: Select which CA Cert the Server use
  • ocsp-status: enable the OCSP check in general
  • ocsp-option
    • server = Use the Server defined under "ocsp-server"
    • certificate = Use the Server defined in the certificate
  • oscp-default-server: select the default pre-defined "ocsp-server" 
  • strict-ocsp-check:
    • disable (default): If the OCSP check is not possible the certificate is valid
    • enable: If the OCSP check is not possible the certificate is invalid

Verify

diagnose debug application fnbamd -1
Debug messages will be on for 30 minutes.

[2395] handle_req-Rcvd auth_cert req id=1458978393, len=1105, opt=0
[915] __cert_auth_ctx_init-req_id=1458978393, opt=0
[103] __cert_chg_st- 'Init'
[139] fnbamd_cert_load_certs_from_req-1 cert(s) in req.
[99] __cert_chg_st- 'Init' -> 'Chain-Build'
[712] __cert_build_chain-req_id=1458978393
[199] fnbamd_chain_build-Chain discovery, opt 0x17, cur total 1
[215] fnbamd_chain_build-Following depth 0
[276] fnbamd_chain_build-Extend chain by system trust store. (good: 'G_CA_Cert_1')
[215] fnbamd_chain_build-Following depth 1
[229] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Chain-Build' -> 'Validation'
[771] __cert_verify-req_id=1458978393
[772] __cert_verify-Chain is complete.
[427] fnbamd_cert_verify-Chain number:2
[441] fnbamd_cert_verify-Following cert chain depth 0
[498] fnbamd_cert_verify-Trusted issuer found: G_CA_Cert_1
[441] fnbamd_cert_verify-Following cert chain depth 1
[689] fnbamd_cert_check_group_list-checking group with name 'FAC-VPN'
[503] __check_add_peer-check 'radius_HQ-FAC'
[505] __check_add_peer-'radius_HQ-FAC' is not a peer user.
[503] __check_add_peer-check 'HQ-FAC'
[383] peer_subject_cn_check-Cert subject 'CN = Andy'
[419] peer_subject_cn_check-Subject is good.
[139] fnbamd_ocsp_ctx_push-Get ocsp setting from 'HQ-FAC_ocsp', vfid 2
[511] __check_add_peer-'HQ-FAC' check ret:pending
[742] fnbamd_cert_check_group_list-OCSP servers
[746] fnbamd_cert_check_group_list-    'HQ-FAC_ocsp', ref=2
[751] fnbamd_cert_check_group_list-Peer users
[757] fnbamd_cert_check_group_list-    'HQ-FAC' ('N/A','HQ-FAC_ocsp')
[808] __cert_verify_do_next-req_id=1458978393
[99] __cert_chg_st- 'Validation' -> 'Status-Query'
[641] __cert_status_query-req_id=1458978393
[443] __cert_ldap_query-req_id=1458978393
[564] __cert_ocsp_query-req_id=1458978393
[587] __cert_ocsp_query-Created OCSP request
[591] __cert_ocsp_query-OCSP query, idx 0
[419] fnbamd_http_push_url-http://172.16.51.12:2560
[337] __fnbamd_http_get_next_host-Parsing 'http://172.16.51.12:2560'
[343] __fnbamd_http_get_next_host-host=172.16.51.12 port=2560(http) path=/
[834] __fnbamd_http_dns_cb-DNS returned 172.16.51.12 (172.16.51.12), cur total:1
[839] __fnbamd_http_dns_cb-Connection starts (172.16.51.12)
[809] __fnbamd_http_start_conn-Connecting 172.16.51.12 (172.16.51.12)
[524] __http_conn_timer_start-172.16.51.12 (172.16.51.12)
[887] __fnbamd_cert_auth_run-Job pending, exit the state machine, req_id=1458978393
[1717] create_auth_cert_session-fnbamd_cert_auth_init returns 4, id=1458978393
[726] __connect-tcps_connect(172.16.51.12) is established.
[524] __http_conn_timer_start-172.16.51.12 (172.16.51.12)
[449] __http_make_request-HTTP 1.1 POST
[562] __http_send-Req total 226
[578] __http_send-Sent 226 bytes: pos=0, len=226
[583] __http_send-Sent all data: total=226
[623] __http_recv-Rcvd 1802 bytes: len=1802
[78] __http_code_check-good response, code=200
[155] __fnbamd_http_check_header-content-length: 1618
[644] __http_recv-Rcvd all data: total=1802, header=184, content-length=1618
[464] __http_stop-(172.16.51.12)
[472] __http_stop-Disconnectting 172.16.51.12 (172.16.51.12)
[499] __ocsp_query_cb-req_id=1458978393
[519] __ocsp_query_cb-Received OCSP rsp
[164] __cert_ocsp_resp_verify-Loaded OCSP server cert '(null)'
[340] fnbamd_verify_ocsp_response-Cert status: REVOKED, reason=0(unspecified)
[186] __cert_ocsp_resp_verify-verify_ocsp_response returns 1 -1
[530] __ocsp_query_cb-OCSP res=0, status=1, server='HQ-FAC_ocsp', req_id=1458978393
[201] __cert_resume-req_id=1458978393
[99] __cert_chg_st- 'Status-Query' -> 'Done'


Comments

Post a Comment

Popular posts from this blog

FortiGate BGP dual-home with multiple ISP

Image
Problem Design with two ISPs and an RIPE Routed public IP Ranges. How to solve, that the public Range is available over both ISPs but without asymetric Routing and ISP-1 is the primary. Solution FortiGate Basic BGP configuration First start with basic BGP configuration config router bgp set as 65301 set router-id 100.200.100.254 set keepalive-timer 45 set holdtime-timer 120 set bestpath-med-missing-as-worst enable set graceful-restart enable     config redistribution connected          set status enable     end end bestpath-med-missing-as-worst :  The route without MED is automaticly the worst destination. gracefule-restart :  Advertise reboots to neighbors so they don't see the router as offline, wait before declaring them offline, and how long to wait when they reboot before advertising updates. These commands apply to neighbors and are part of the BGP capabilities. This prevents unneeded routing updates. holdtime-timer: How long the router will wait for
Read more

FortiMail - Server Basic Configuration

Image
 Problem Nowhere is it written exactly how FortiMail must be configured in Server Mode to run a secure Basic Mail Server. Here is a summary of most of the settings: Solution System Network Configure your Interfaces Be sure that you have configured an default Gateway Port Forwarding FortiMail are able to forward Traffic from a the internet to the local LAN (DNAT). For more information:  FortiMail Doc FortiGate The FortiGate are able to send SMTP traffic through an WCCP Tunnel to the FortiMail for scanning. See for more information:  FortiDoc Configuration Set the correct Time Zone Configure your Password Policy Change the Admin Ports  to non default ports If you need configure the SNMP settings Mail Settings Set the Hostname  and the Local domain name . Togther there are the FQDN of the FortiMail. Activate the SMTP MA service  (use other ports for mail submiting by clients as mail transfer to other Mail servers.  Relay Host If you run the FortiMail behind another Mailserver which acts a
Read more

FortiGate as DNS Server or DNS Proxy

Image
 Problem Especially in small networks, sometimes you do not have a dedicated DNS server available. For this purpose, the FortiGate can be used as DNS server. For larger installations, all DNS queries should be proxied for security reasons. The FortiGate can also help here. Solution A detail documentation about the DNS Server functionality is in the offical documentation:  Fortinet Doc In this post I would like to clearly present the most important functions and configuration types of the DNS function. DNS-Server In the following example the FortiGate act as DNS Server: Enable DNS Feature Enable the DNS Feature in the GUI: CLI command: config system settings     set gui-dns-database enable end Configure DNS Server Enable the DNS Feature on the interface on which DNS requests should be answered: Select Network Select DNS Servers Select the listen Interface Select the DNS Server Mode (see delecration below) The same on the CLI: config system dns-server     edit DMZ2          set mode recu
Read more