Configuring a Fortigate for UTM inspection of SSL/TLS encrypted channels (Fortigate ssl mitm)
Man in the middle
What you are actually doing is creating a CA on the Fortigate (a public/private key pair). This Fortigate housed CA will be a subordinate CA. Clients will trust the Fortigate housed CA by trusting the certificate chain (since they trust your root CA). You may have seen this sort of thing before.
I am awaiting word on how to properly assign a CRL to the subordinate CA cert when signing.
Create the Subordinate CA key pair (certificate and key):
1) Log on to your CA via the console.
2) Generate the subordinate CA private key:
openssl genrsa -des3 -out /root/ca/private/fortigate.key 4096 chmod 600 /root/ca/private/fortigate.key
Protect the fortigate.key. It is very important!
3) Generate a certificate signing request so that the root CA can generate a signed certificate using
openssl req -new -key /root/ca/private/fortigate.key -out /root/fortigate.csr #Country Name (2 letter code) [XX]:US #State or Province Name (full name) :New York #Locality Name (eg, city) [Default City]:New York #Organization Name (eg, company) [Default Company Ltd]:Company Name #Organizational Unit Name (eg, section) :. #Common Name (eg, your name or your server's hostname) :Fortigate Internal CA #Email Address :firstname.lastname@example.org #A challenge password : [blank] #An optional company name : [blank]
4) Sign the certificate signing request with the CA keys and make output a certificate that can be used as a CA:
openssl ca -extensions v3_ca -days 3650 -out /root/ca/certs/fortigate.cer -in /root/fortigate.csr
Install the key pair onto the Fortigate unit:
1) Copy both fortigate.key and fortigate.cer to a workstation so that you can upload them to the Fortigate.
2) Log on to the web UI of the Fortigate and access (global vdom scope) System> Certificates> Local Certificates
3) Click Import
4) Type: Certificate, Certificate file = fortigate.cer, Key file = fortigate.key, Password = password for fortigate.key. Click OK, then the Return link.
fortigate will be listed in the Local Certificates list.
5) At the Fortigate CLI, configure the HTTPS proxy daemon to present the certificate:
config global #this is if you have vdoms configured, if not, you should just have the next line available config firewall ssl setting set caname fortigate end end
Configure the policy options and policy:
1) In the Fortigate web UI, go to VDOM (root)> Policy> Protocol Options. Click the + symbol in the upper right to create another protocol options object.
2) Provide the following settings:
Name: SSL/TLS Options HTTPS> check Enable Deep Scanning All protocol items: Threshold = 2MB
3) Click Apply.
4) Create a policy that encompasses the HTTPS “service” __from__ the client __to__ the destination Internet service (IP addresses, route qualified interface, etc).
Under UTM make sure you set the Protocol Options to the “SSL/TLS Options” you just created in step 3.