Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.4.8
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiManager 7.4.8 Administration Guide
    7.4.8
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Certificate best practices for FortiManager HA with VRRP

    Certificate best practices for FortiManager HA with VRRP

    Modern web browsers no longer use the Common Name (CN) field for hostname verification. Instead, they rely exclusively on the Subject Alternative Name (SAN) extension.

    This document outlines best practices for deploying GUI certificates in a High Availability (HA) setup using Virtual Router Redundancy Protocol (VRRP), ensuring secure and seamless communication with your FortiManager HA environment.

    For steps on configuring and uploading local certificates, refer to the following:

    Recommended certificate configuration approaches

    There are two primary options for configuring certificates for your FortiManager HA with VRRP deployment.

    1. Option 1: Use a single certificate with comprehensive SAN entries.

    2. Option 2: Use distinct certificates for each FortiManager.

    To illustrate the certificate configurations, the examples below use the following FortiManager HA VRRP setup details:

    Component IP Type IP Address FQDN
    FMG1 Dedicated IP 10.0.0.1/24 fmg1.example.com
    FMG2 Dedicated IP 10.0.0.2/24 fmg2.example.com
    FortiManager HA VRRP VIP (Virtual IP) 10.0.0.100 fmg_vip.example.com
    Option 1: Use a single certificate with comprehensive SAN entries

    This approach uses one certificate that includes all relevant identities in its SAN extension.

    The certificate must contain the following in its SAN entries:

    • The FQDN and/or IP address of the VRRP Virtual IP (VIP) address.

      • This is required to trust the certificate when you access the FortiManager HA setup using the VRRP VIP address.

    • The FQDN and/or IP address of your primary FortiManager.

      • In some scenarios, you may need to access the primary FortiManager directly. Including its FQDN and/or IP address here ensures the certificate is trusted for direct access.

    • The FQDN and/or IP address of your secondary FortiManager.

      • Similarly, you may need to access the secondary FortiManager directly in certain situations. Adding its FQDN and/or IP address ensures the certificate is trusted for direct access.

    Note

    Since the CN is no longer used for the hostname verification by modern browsers, you can use any name for this field, or simply use the VRRP VIP address.

    An example of the certificate configuration would look as follows:

    • Shared certificate:

      Field

      Value
      CN fmg_vip.example.com
      SAN

      DNS: fmg_vip.example.com, DNS: fmg1.example.com, DNS: fmg2.example.com

    The certificate configuration can also include the IP addresses in the SAN for broader access if required.

    Option 2: Use distinct certificates for each FortiManager

    If your organization's security policies require each FortiManager in the HA setup to have its own unique certificate, you can configure them as follows:

    • Primary FortiManager's Certificate SAN

      • The FQDN and/or IP address of the primary FortiManager.

      • The FQDN and/or IP address of the VRRP VIP address.

      The CN for this certificate can be set to the FQDN or IP address of the primary FortiManager.

    • Secondary FortiManager's Certificate SAN:

      • The FQDN and/or IP address of the secondary FortiManager.

      • The FQDN and/or IP address of the VRRP VIP address.

      The CN for this certificate can be set to the FQDN or IP address of the secondary FortiManager.

    An example of the certificate configuration would look as follows:

    • FMG1 certificate:

      Field

      Value
      CN fmg1.example.com
      SAN

      DNS: fmg_vip.example.com, DNS: fmg1.example.com

    • FMG2 certificate:

      Field

      Value
      CN fmg2.example.com
      SAN

      DNS: fmg_vip.example.com, DNS: fmg2.example.com

      The certificate configuration can also include the FMG2 and FortiManager HA VRRP IP addresses in the SAN for broader access if required.

    Example - Demonstrating CN versus SAN behavior

    This example scenario demonstrates that a certificate with the primary FortiManager's FQDN in the CN and the VRRP VIP FQDN in the SAN is only valid for the VIP FQDN. It's not trusted for direct access to the primary FortiManager FQDN. This further emphasizes the need to include all relevant FQDNs and/or IP addresses in the SAN extension for the certificate to be trusted across all access points.

    In this example scenario, a certificate is configured as follows:

    Field

    Value
    CN Primary FortiManager's FQDN
    SAN

    VRRP VIP address's FQDN

    Result:

    • The certificate is trusted when accessing the FortiManager using:

      • The VRRP VIP FQDN (for instance https://<vip_fqdn>)

    • The certificate is not trusted when accessing the primary FortiManager directly using its FQDN:

      • The Primary FortiManager's FQDN (for instance https://primary_fqdn>)

        Note that in this case, the certificate isn't trusted even though the URL used matches the certificate's CN.

    Additional resources

    Previous
    Next

    Certificate best practices for FortiManager HA with VRRP

    Certificate best practices for FortiManager HA with VRRP

    Modern web browsers no longer use the Common Name (CN) field for hostname verification. Instead, they rely exclusively on the Subject Alternative Name (SAN) extension.

    This document outlines best practices for deploying GUI certificates in a High Availability (HA) setup using Virtual Router Redundancy Protocol (VRRP), ensuring secure and seamless communication with your FortiManager HA environment.

    For steps on configuring and uploading local certificates, refer to the following:

    Recommended certificate configuration approaches

    There are two primary options for configuring certificates for your FortiManager HA with VRRP deployment.

    1. Option 1: Use a single certificate with comprehensive SAN entries.

    2. Option 2: Use distinct certificates for each FortiManager.

    To illustrate the certificate configurations, the examples below use the following FortiManager HA VRRP setup details:

    Component IP Type IP Address FQDN
    FMG1 Dedicated IP 10.0.0.1/24 fmg1.example.com
    FMG2 Dedicated IP 10.0.0.2/24 fmg2.example.com
    FortiManager HA VRRP VIP (Virtual IP) 10.0.0.100 fmg_vip.example.com
    Option 1: Use a single certificate with comprehensive SAN entries

    This approach uses one certificate that includes all relevant identities in its SAN extension.

    The certificate must contain the following in its SAN entries:

    • The FQDN and/or IP address of the VRRP Virtual IP (VIP) address.

      • This is required to trust the certificate when you access the FortiManager HA setup using the VRRP VIP address.

    • The FQDN and/or IP address of your primary FortiManager.

      • In some scenarios, you may need to access the primary FortiManager directly. Including its FQDN and/or IP address here ensures the certificate is trusted for direct access.

    • The FQDN and/or IP address of your secondary FortiManager.

      • Similarly, you may need to access the secondary FortiManager directly in certain situations. Adding its FQDN and/or IP address ensures the certificate is trusted for direct access.

    Note

    Since the CN is no longer used for the hostname verification by modern browsers, you can use any name for this field, or simply use the VRRP VIP address.

    An example of the certificate configuration would look as follows:

    • Shared certificate:

      Field

      Value
      CN fmg_vip.example.com
      SAN

      DNS: fmg_vip.example.com, DNS: fmg1.example.com, DNS: fmg2.example.com

    The certificate configuration can also include the IP addresses in the SAN for broader access if required.

    Option 2: Use distinct certificates for each FortiManager

    If your organization's security policies require each FortiManager in the HA setup to have its own unique certificate, you can configure them as follows:

    • Primary FortiManager's Certificate SAN

      • The FQDN and/or IP address of the primary FortiManager.

      • The FQDN and/or IP address of the VRRP VIP address.

      The CN for this certificate can be set to the FQDN or IP address of the primary FortiManager.

    • Secondary FortiManager's Certificate SAN:

      • The FQDN and/or IP address of the secondary FortiManager.

      • The FQDN and/or IP address of the VRRP VIP address.

      The CN for this certificate can be set to the FQDN or IP address of the secondary FortiManager.

    An example of the certificate configuration would look as follows:

    • FMG1 certificate:

      Field

      Value
      CN fmg1.example.com
      SAN

      DNS: fmg_vip.example.com, DNS: fmg1.example.com

    • FMG2 certificate:

      Field

      Value
      CN fmg2.example.com
      SAN

      DNS: fmg_vip.example.com, DNS: fmg2.example.com

      The certificate configuration can also include the FMG2 and FortiManager HA VRRP IP addresses in the SAN for broader access if required.

    Example - Demonstrating CN versus SAN behavior

    This example scenario demonstrates that a certificate with the primary FortiManager's FQDN in the CN and the VRRP VIP FQDN in the SAN is only valid for the VIP FQDN. It's not trusted for direct access to the primary FortiManager FQDN. This further emphasizes the need to include all relevant FQDNs and/or IP addresses in the SAN extension for the certificate to be trusted across all access points.

    In this example scenario, a certificate is configured as follows:

    Field

    Value
    CN Primary FortiManager's FQDN
    SAN

    VRRP VIP address's FQDN

    Result:

    • The certificate is trusted when accessing the FortiManager using:

      • The VRRP VIP FQDN (for instance https://<vip_fqdn>)

    • The certificate is not trusted when accessing the primary FortiManager directly using its FQDN:

      • The Primary FortiManager's FQDN (for instance https://primary_fqdn>)

        Note that in this case, the certificate isn't trusted even though the URL used matches the certificate's CN.

    Additional resources

    Previous
    Next