Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.6.0 Administration Guide
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Basic authentication with cached client certificates

    Basic authentication with cached client certificates

    With basic authentication, client certificates can be cached and used as authentication cookies, eliminating the need for repeated user authentication.

    In this example, a CA signs a client certificate. The client certificate is installed on two endpoints, and the root CA certificate is imported to FortiGate.

    During the authentication process, the client certificate from the endpoint is verified against the CA certificate. Once this verification is successful, the user is prompted to enter login credentials for user authentication. Once authenticated, the client certificate is stored as an authentication cookie so that subsequent access does not require any user authentication as long as the client certificate remains present on the endpoint.

    To configure client certificates as authentication cookies:

    1. Prepare the certificate:

      1. Use a CA to sign the client certificate.

      2. Import the root CA certificate that signed the client certificate to FortiGate.

      3. Install the client certificate on all endpoints.

    2. In FortiOS, configure an authentication scheme to apply authentication against the local user database.

      config authentication scheme
    edit "test"
        set method basic
        set user-database "local-user-db"
    next
end

    3. Configure an authentication rule to enable the client certificate to be cached.

      config authentication rule
    edit "test"
        set srcaddr "all"
        set ip-based disable
        set active-auth-method "test"
        set cert-auth-cookie enable 
    next
end

    4. Configure verification of the client certificate with the root CA.

      config authentication setting
    set user-cert-ca "root_ca"
end

    When the user accesses a resource, such as a web site, for the first time:

    1. The browser prompts the user for a client certificate. The user selects the certificate (client2.fortinet.com), and clicks OK. Then the endpoint device (IP address 10.1.100.59) presents the client certificate to FortiGate for verification.

    2. Once the certificate verification passes, an authentication dialog box is displayed.

    3. The user enters their username and password to authenticate with FortiGate and successfully access the web site.

      FortiGate also logs the first access in the traffic log:

      9: date=2024-04-24 time=12:28:51 eventtime=1713918531092354265 tz="+1200" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="vdom1" srcip=10.1.100.59 srcport=63615 srcintf="port2" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=142.251.33.69 dstport=443 dstintf="port3" dstintfrole="undefined" sessionid=51442 service="web" proxyapptype="http" proto=6 action="accept" policyid=10 policytype="proxy-policy" poluuid="e272fe7e-00d2-51ef-5fe0-09d157495e71" duration=73 user="localuser" group="localgroup" authserver="localuser" gatewayid=1 realserverid=1 vip="ztna" accessproxy="ztna" clientdevicemanageable="manageable" clientcert="yes" wanin=5734 rcvdbyte=5734 wanout=1505 lanin=3226 sentbyte=3226 lanout=42588 appcat="unscanned"

    When the user accesses the resource from the same endpoint device for the second and subsequent times, FortiGate uses the cached authentication cookie to grant access, as long as the client certificate remains present on the endpoint.

    When the user has multiple endpoint devices with the same certificate installed, the certificate will match the cached authentication cookie on the FortiGate, and the user can access resources without additional authentication.

    This log shows a user accessing a website from a different PC (IP address 10.1.100.78) without needing to provide user credentials.

    2: date=2024-04-24 time=12:30:42 eventtime=1713918642320943415 tz="+1200" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="vdom1" srcip=10.1.100.78 srcport=63799 srcintf="port2" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=142.251.33.69 dstport=443 dstintf="port3" dstintfrole="undefined" sessionid=51819 service="web" proxyapptype="http" proto=6 action="accept" policyid=10 policytype="proxy-policy" poluuid="e272fe7e-00d2-51ef-5fe0-09d157495e71" duration=9 user="localuser" group="localgroup" gatewayid=1 realserverid=1 vip="ztna" accessproxy="ztna" clientdevicemanageable="manageable" clientcert="yes" wanin=5737 rcvdbyte=5737 wanout=1295 lanin=3102 sentbyte=3102 lanout=7651 appcat="unscanned"
    Previous
    Next

    Basic authentication with cached client certificates

    Basic authentication with cached client certificates

    With basic authentication, client certificates can be cached and used as authentication cookies, eliminating the need for repeated user authentication.

    In this example, a CA signs a client certificate. The client certificate is installed on two endpoints, and the root CA certificate is imported to FortiGate.

    During the authentication process, the client certificate from the endpoint is verified against the CA certificate. Once this verification is successful, the user is prompted to enter login credentials for user authentication. Once authenticated, the client certificate is stored as an authentication cookie so that subsequent access does not require any user authentication as long as the client certificate remains present on the endpoint.

    To configure client certificates as authentication cookies:

    1. Prepare the certificate:

      1. Use a CA to sign the client certificate.

      2. Import the root CA certificate that signed the client certificate to FortiGate.

      3. Install the client certificate on all endpoints.

    2. In FortiOS, configure an authentication scheme to apply authentication against the local user database.

      config authentication scheme
    edit "test"
        set method basic
        set user-database "local-user-db"
    next
end

    3. Configure an authentication rule to enable the client certificate to be cached.

      config authentication rule
    edit "test"
        set srcaddr "all"
        set ip-based disable
        set active-auth-method "test"
        set cert-auth-cookie enable 
    next
end

    4. Configure verification of the client certificate with the root CA.

      config authentication setting
    set user-cert-ca "root_ca"
end

    When the user accesses a resource, such as a web site, for the first time:

    1. The browser prompts the user for a client certificate. The user selects the certificate (client2.fortinet.com), and clicks OK. Then the endpoint device (IP address 10.1.100.59) presents the client certificate to FortiGate for verification.

    2. Once the certificate verification passes, an authentication dialog box is displayed.

    3. The user enters their username and password to authenticate with FortiGate and successfully access the web site.

      FortiGate also logs the first access in the traffic log:

      9: date=2024-04-24 time=12:28:51 eventtime=1713918531092354265 tz="+1200" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="vdom1" srcip=10.1.100.59 srcport=63615 srcintf="port2" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=142.251.33.69 dstport=443 dstintf="port3" dstintfrole="undefined" sessionid=51442 service="web" proxyapptype="http" proto=6 action="accept" policyid=10 policytype="proxy-policy" poluuid="e272fe7e-00d2-51ef-5fe0-09d157495e71" duration=73 user="localuser" group="localgroup" authserver="localuser" gatewayid=1 realserverid=1 vip="ztna" accessproxy="ztna" clientdevicemanageable="manageable" clientcert="yes" wanin=5734 rcvdbyte=5734 wanout=1505 lanin=3226 sentbyte=3226 lanout=42588 appcat="unscanned"

    When the user accesses the resource from the same endpoint device for the second and subsequent times, FortiGate uses the cached authentication cookie to grant access, as long as the client certificate remains present on the endpoint.

    When the user has multiple endpoint devices with the same certificate installed, the certificate will match the cached authentication cookie on the FortiGate, and the user can access resources without additional authentication.

    This log shows a user accessing a website from a different PC (IP address 10.1.100.78) without needing to provide user credentials.

    2: date=2024-04-24 time=12:30:42 eventtime=1713918642320943415 tz="+1200" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="vdom1" srcip=10.1.100.78 srcport=63799 srcintf="port2" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=142.251.33.69 dstport=443 dstintf="port3" dstintfrole="undefined" sessionid=51819 service="web" proxyapptype="http" proto=6 action="accept" policyid=10 policytype="proxy-policy" poluuid="e272fe7e-00d2-51ef-5fe0-09d157495e71" duration=9 user="localuser" group="localgroup" gatewayid=1 realserverid=1 vip="ztna" accessproxy="ztna" clientdevicemanageable="manageable" clientcert="yes" wanin=5737 rcvdbyte=5737 wanout=1295 lanin=3102 sentbyte=3102 lanout=7651 appcat="unscanned"
    Previous
    Next