Hot!Replace Fortigate Certificate for Explicit Proxy (6.03)

Author
DavidMcQueenLPS
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/04/10 07:42:08
  • Status: offline
2019/07/09 12:55:55 (permalink)
0

Replace Fortigate Certificate for Explicit Proxy (6.03)

I found a cookbook article for 5.2 but that doesn't hold for 6.03.
 
https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-security-profiles-52/Other_Profile_Considerations/SSL%20content%20scanning%20and%20inspection.htm
 
We are trying to transition from a Squid based Man in the Middle filter system to the Fortigate.  We do not want to install the fortigate cert on all the machines, since we already have one installed and working.  Much rather make that one the signer on the fortigate.
 
 
 
#1

10 Replies Related Threads

    hubertzw
    Gold Member
    • Total Posts : 173
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: Replace Fortigate Certificate for Explicit Proxy (6.03) 2019/07/10 02:42:36 (permalink)
    0
    You can use internal certificate authority, on FGT you need to generate CSR and then issue certificate (template „Subordinate Certification Authority”)
    #2
    DavidMcQueenLPS
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/10 07:42:08
    • Status: offline
    Re: Replace Fortigate Certificate for Explicit Proxy (6.03) 2019/07/10 05:06:13 (permalink)
    0
    I have the Certificate installed and being used for SSL Deep Packet Inspection and it is working great there.  The explicit proxy does not use this one and I cannot seem to locate how, in 6.03, to point it to this cert.
     
     
    #3
    hubertzw
    Gold Member
    • Total Posts : 173
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: Replace Fortigate Certificate for Explicit Proxy (6.03) 2019/07/10 06:13:35 (permalink)
    0
    In the proxy policy you have Security Profiles, as with Firewall Policies. Set the profile with the correct cert
    #4
    DavidMcQueenLPS
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/10 07:42:08
    • Status: offline
    Re: Replace Fortigate Certificate for Explicit Proxy (6.03) 2019/07/10 06:44:45 (permalink)
    0
    Here is my Proxy Policy....I will replay 3 more times with the Options, Web Filter and SSL Inspection info (only 1 image per post).

    Attached Image(s)

    #5
    DavidMcQueenLPS
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/10 07:42:08
    • Status: offline
    Re: Replace Fortigate Certificate for Explicit Proxy (6.03) 2019/07/10 07:26:04 (permalink)
    0
    Proxy Options:
     

    Attached Image(s)

    #6
    DavidMcQueenLPS
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/10 07:42:08
    • Status: offline
    Re: Replace Fortigate Certificate for Explicit Proxy (6.03) 2019/07/10 07:40:45 (permalink)
    0
    Web Filter:
     

    Attached Image(s)

    #7
    DavidMcQueenLPS
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/10 07:42:08
    • Status: offline
    Re: Replace Fortigate Certificate for Explicit Proxy (6.03) 2019/07/10 08:07:41 (permalink)
    0
    SSL/SSH Inspection Profile:
     

    Attached Image(s)

    #8
    hubertzw
    Gold Member
    • Total Posts : 173
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: Replace Fortigate Certificate for Explicit Proxy (6.03) 2019/07/10 09:07:53 (permalink)
    0
    What do you see in the UTM logs? You can also enable logging all sessions just for the troubleshooting
    #9
    DavidMcQueenLPS
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/10 07:42:08
    • Status: offline
    Re: Replace Fortigate Certificate for Explicit Proxy (6.03) 2019/07/11 10:48:08 (permalink)
    0
    So I ended up opening a support ticket for this issue.
     
    The engineer noticed something that should not be possible.  In the Proxy Policy the service was not set.  I say that this is not possible, because that is a required field.  When the engineer was changing the Logging options, it error'd on that field until it was set.
     
    So all is functioning.  Still not sure why I was getting the Fortigate's self signed cert, but problem solved.
     
     
    #10
    hubertzw
    Gold Member
    • Total Posts : 173
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: Replace Fortigate Certificate for Explicit Proxy (6.03) 2019/07/11 13:18:43 (permalink)
    0
    Thanks for update!
    #11
    Jump to:
    © 2019 APG vNext Commercial Version 5.5