Implementing Fortigate syslog logging to a FortiManager when using FIPS mode

Written by Kevin Mann

January 21, 2023

As an organization who focuses on compliance, specifically NIST 800-171 and CMMC, we found ourselves in a predicament when it came to aligning the systems we use to support clients with the requirements in NIST/CMMC – the dreaded FIPS mode. In this article we will focus on Fortinet’s FortiManager.

The function of being able to send FortiGate (FGT for short) logs to a FortiManager (FMG for short) breaks when the FMG has FIPS enabled. An error of OFTP validation/verification failed is one of the errors, but all the errors reference the OFTP engine.

Message: OFTP SSL Error: remote_ip=x.x.x.x, error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

After spending many hours researching this and working with multiple Fortinet support reps we found one that was able to help us and with some additional tweaks were able to get logging working again. Hopefully this information will help anyone else in a similar situation

Steps we followed.

Setup:

-created a directory called “ca” to act as the primary directory to run the next commands from

-Copy the openssl openssl.cnf file in the ca directory. open it in a text editor. In the [ CA_default ] section, change the “dir” line to point to the absolute path of your “ca” directory

-within “ca”, created subdirectories “certs” “crl” “csr” “newcerts” “private”

-in the “ca” directory, created blank file “index.txt” and two files with just “1000” in them “serial” and “crlnumber”. (each of those serial and crlnumber files has no extension, but could be created in notepad and just type 1000 in them and save)

1-Setup a CA cert and key

2-Create a server private key

3-Generate a CSR for server cert

4-Sign the server cert **note when performing this step, you MUST utilize the “-cert” switch and point to the CA certificate you created in Step 1
Example: openssl ca -config openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -cert certs/ca-cert.pem -in csr/fmgserver-cert-csr.pem -out certs/fmgserver-cert-cert.pem

5-Create server cert pfx

6-Create client cert key

7-Create client cert csr

8-Sign client cert **note when performing this step, you MUST utilize the “-cert” switch and point to the CA certificate you created in Step 1

9-Create client pfx

10-Import client cert as a pfx onto the FGT

11-Import the CA cert as a CA cert onto the FGT

12-Import the CA cert as a CA cert onto the FMG

13-Import the server cert as a Local PFX onto the FMG

14-Import the client cert as Remote onto the FMG

15-Set the FMG to use the server cert

Config sys cert oftp

Set mode local

Set local <server cert name>

end

16-Set the FGT to use the client cert

Config log fortianalyzer setting

Set certificate <client cert name)

Set certificate-validation disabled

end

After completing these steps, the FGT logs should successfully reach, and be accepted by, the FMG server. Verify in FMG under Log View, your FGT devices should show

You May Also Like…

No Results Found

The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.