Fortinet NSE 4 (Security) - 06. Certificate Operations
When using full SSL Inspection, if the Untrusted SSL certificates is set to Allow and the external website certificate is trusted, which certificate is used to sign the temporary certificate sent to the internal client?
Fortinet_CA_SSL
When using full SSL Inspection, if the Untrusted SSL certificates is set to Ignore and the external website certificate is untrusted, which certificate is used to sign the temporary certificate sent to the internal client?
Fortinet_CA_SSL
When using full SSL Inspection, if the Untrusted SSL certificates is set to Allow and the external website certificate is not trusted, which certificate is used to sign the temporary certificate sent to the internal client?
Fortinet_CA_Untrusted
By default, what does SSL use to discern the hostname of the SSL server at the beginning of the SSL handshake?
Server Name Identification (SNI) from client Hello, which is an extension of the TLS protocol
What are the only security features you can apply using SSL certificate inspection mode?
Web Filtering and Application Control
What is the certificate standard supported by FortiGate?
X.509v3 (the most common standard for certificates)
When using full SSL inspection, the FortiGate must act as a proxy web server, what settings must be configured in the certificate?
cA=True AND keyUsage=keyCertSign
What is the process a CA uses to create a digital signature?
1. CA runs the contents of certificate through a hash, which is referred to as the original hash result 2. The CA encrypts the original hash result using its private key, the result of which is the digital signature
What four checks does FortiGate run prior to trusting a certificate?
1. Check the CRLs both locally and using OCSP 2. Read the value of the Issuer filed to determine if there is a corresponding CA certificate (if there is no CA certificate, the certificate is not trusted) 3. Verifies the current date is between the Valid From and Valid To values 4. Validates the signature
What is the process of establishing an SSL handshake?
1. FortiGate connects to the web server and provides information such as the SSL version in use and cryptographic algorithms supported 2. Web server responds with chosen SSL version and cipher suite, as well as a copy of its certificate 3. FortiGate validates web server certificate (Does it have corresponding CA cert?, Signature valid?, Valid dates?, Revocation check?) 4. FortiGate generates the premaster secret, using the web server's public key to encrypt 5. Web server uses private key to decrypt premaster secret 6. Both sides derive the master secret based on the premaster secret 7. Session (symmetric) key is generated based on the shared master secret 8. Both ends send a digest (summary) of the messages exchanged so far. The digests are encrypted with the session key, and ensure than none of the messages have been intercepted or replaced
What is the process FortiGate uses to verify the digital signature?
1. FortiGate runs the certificate through a hash function, which has been identified in the certificate 2. FortiGate decrypts the digital signature provided by the CA using the CA public key 3. FortiGate compares the values from Steps 1 & 2 above to confirm they match. Match = valid signature
What are the 5 steps involved in Full SSL Inspection of Outbound Traffic?
1. Internal browser connects to an external SSL-enabled web server 2. The FortiGate intercepts the certificate that is sent from the external web server and bound for the internal client 3. FortiGate internal CA generates a new key pair and certificate (the new certificate subject name must be the DNS name of the website) 4. FortiGate-produced web server certificate is sent to internal client 5. SSL is established between external web server and FortiGate using new certificate In this mode, FortiGate can decrypt data from both the web server and internal client
Which certificate store is utilized by FortiOS?
Mozilla CA
If configuring an SSL/SSH Inspection profile for outbound traffic, what must you select for the Enable SSL inspection of
Multiple Clients Connecting to Multiple Servers
Which configuration requires FortiGate to act as a CA for full SSL inspection? 1. Multiple clients connecting to multiple servers 2. Protecting the SSL server
Multiple clients connecting to multiple servers
What are the two possible configurations for full SSL inspection?
Outbound (i.e., internal devices connecting to external devices) and Inbound (i.e., external devices connecting to an internal device)
How do you enable SSL certificate inspection?
Select the read-only, preconfigured certificate-inspection SSL/SSH Certificate Inspection when configuring a firewall policy
If there is no SNI (Server Name Identification) exchanged during the SSL handshake, what does SSL use to identify the server?
The value in the Subject field or SAN (Subject Alternative Name) field in the server certificate
