Home > Uncategorized > Configuring a Fortigate for UTM inspection of SSL/TLS encrypted channels (Fortigate ssl mitm)

Configuring a Fortigate for UTM inspection of SSL/TLS encrypted channels (Fortigate ssl mitm)

Man in the middle
What you are actually doing is creating a CA on the Fortigate (a public/private key pair). This Fortigate housed CA will be a subordinate CA. Clients will trust the Fortigate housed CA by trusting the certificate chain (since they trust your root CA). You may have seen this sort of thing before.

I am awaiting word on how to properly assign a CRL to the subordinate CA cert when signing.

Create the Subordinate CA key pair (certificate and key):
1) Log on to your CA via the console.

2) Generate the subordinate CA private key:

openssl genrsa -des3 -out /root/ca/private/fortigate.key 4096
chmod 600 /root/ca/private/fortigate.key

Protect the fortigate.key. It is very important!

3) Generate a certificate signing request so that the root CA can generate a signed certificate using

openssl req -new -key /root/ca/private/fortigate.key -out /root/fortigate.csr
#Country Name (2 letter code) [XX]:US
#State or Province Name (full name) []:New York
#Locality Name (eg, city) [Default City]:New York
#Organization Name (eg, company) [Default Company Ltd]:Company Name
#Organizational Unit Name (eg, section) []:.
#Common Name (eg, your name or your server's hostname) []:Fortigate Internal CA
#Email Address []:support@companyname.com
#A challenge password []: [blank]
#An optional company name []: [blank]

4) Sign the certificate signing request with the CA keys and make output a certificate that can be used as a CA:

openssl ca -extensions v3_ca -days 3650 -out /root/ca/certs/fortigate.cer -in /root/fortigate.csr

Install the key pair onto the Fortigate unit:
1) Copy both fortigate.key and fortigate.cer to a workstation so that you can upload them to the Fortigate.

2) Log on to the web UI of the Fortigate and access (global vdom scope) System> Certificates> Local Certificates

3) Click Import

4) Type: Certificate, Certificate file = fortigate.cer, Key file = fortigate.key, Password = password for fortigate.key. Click OK, then the Return link.
fortigate will be listed in the Local Certificates list.

5) At the Fortigate CLI, configure the HTTPS proxy daemon to present the certificate:

config global #this is if you have vdoms configured, if not, you should just have the next line available
config firewall ssl setting
set caname fortigate
end
end

Configure the policy options and policy:
1) In the Fortigate web UI, go to VDOM (root)> Policy> Protocol Options. Click the + symbol in the upper right to create another protocol options object.

2) Provide the following settings:

Name: SSL/TLS Options
HTTPS> check Enable Deep Scanning
All protocol items: Threshold = 2MB

3) Click Apply.

4) Create a policy that encompasses the HTTPS “service” __from__ the client __to__ the destination Internet service (IP addresses, route qualified interface, etc).
Under UTM make sure you set the Protocol Options to the “SSL/TLS Options” you just created in step 3.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: