Replace Fortigate Certificate for Explicit Proxy (6.03)

DavidMcQueenLPS · ‎07-09-2019

I found a cookbook article for 5.2 but that doesn't hold for 6.03.

https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-security-profiles-52/Other_Profi...

We are trying to transition from a Squid based Man in the Middle filter system to the Fortigate. We do not want to install the fortigate cert on all the machines, since we already have one installed and working. Much rather make that one the signer on the fortigate.

hubertzw · ‎07-10-2019

You can use internal certificate authority, on FGT you need to generate CSR and then issue certificate (template „Subordinate Certification Authority”)

DavidMcQueenLPS · ‎07-10-2019

I have the Certificate installed and being used for SSL Deep Packet Inspection and it is working great there. The explicit proxy does not use this one and I cannot seem to locate how, in 6.03, to point it to this cert.

hubertzw · ‎07-10-2019

In the proxy policy you have Security Profiles, as with Firewall Policies. Set the profile with the correct cert

DavidMcQueenLPS · ‎07-10-2019

Here is my Proxy Policy....I will replay 3 more times with the Options, Web Filter and SSL Inspection info (only 1 image per post).

hubertzw · ‎07-10-2019

What do you see in the UTM logs? You can also enable logging all sessions just for the troubleshooting

DavidMcQueenLPS · ‎07-10-2019

Proxy Options:

DavidMcQueenLPS · ‎07-10-2019

Web Filter:

DavidMcQueenLPS · ‎07-10-2019

SSL/SSH Inspection Profile:

DavidMcQueenLPS · ‎07-11-2019

So I ended up opening a support ticket for this issue.

The engineer noticed something that should not be possible. In the Proxy Policy the service was not set. I say that this is not possible, because that is a required field. When the engineer was changing the Logging options, it error'd on that field until it was set.

So all is functioning. Still not sure why I was getting the Fortigate's self signed cert, but problem solved.