Sunday, May 6, 2018

securing fortigate HTTPS admin with PKI

The fortinet  operations takes  admin access for PKI very serious. Here I 've craft a user certificate that was upload to my firefox browser.

This cert will be called everytime we login via the WebGUI. The steps are summarize as

1: upload the trust-CA to the fortigate certificate store
2: craft a  user-peer and set the CA and CN values
3: craft  a pki-admin
4: enable admin-pki
5: optionally you can set the user-peer for two-factor and the user will need a cert and password
6:  !!!! this a great approach if you need HTTPS  access to un-trusted and dangerous internet  !!!!

Here's a view of these simple  steps. I will not bother with showing the user  csr generation



MY Socpuppets CA root  CERTIFICATES


User Peer  Defined via cli


Notice two-factor and password set , my CA certificate is known as  CA_Cert_1 


NOTE: pki2 is my admin configuration and is a member of the  user group named simply  pki


Admin Configuration





A typical  WebGui  admin  login and FireFox cert imported



Here's a few chrome based browsers challenging my user ( these can not access MACOSX  certificate store directly )







The FireFox browsers are  the best and most reliable based on my experience









Any webUsers with no certificate will generate a log message similar to the below





A Certificate decoder of the user certificate ( notice the  CN that was used for the pki user )





NOTE: This  certificate was built with a low lifetime due to some other testing that I'm doing. In reality you  will define the certificate lifetime as the systemAdmin  requires dictates.  A consult on a project might have a lifetime shorter than a IT security staff.


A few business case on where PKI admin has been a success

  • remote DR sites that need WebUI access via the internet
  • TrustCA issued certificate are hard to forge
  • A user can not easily share his/her remote-password, prevents  user password sharing
  • remote-support engineers that need a limit life and scope for remote access and a teamviewer or webex is not an option
  • makes it almost next to impossible to brute-force a login attack against a device










NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

No comments:

Post a Comment