I think there is a misunderstanding, in my lab, fortigate client doesn't have any client certificate, instead, it is compulsory the installation of a CA certificate on fortigate FW.
Indeed, if we analyzed the following statement at FortiGate Infrastructure 7.2 Study Guide (p.200):
"This configuration requires proper CA certificate installation as the SSL VPN client FortiGate/user uses PSK and a PKI client certificate to authenticate. The FortiGate devices must have the proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate."
The sentence say it necessary to install a certificate since the client use PSK and PKI but clearly on the server "must have the proper CA certificate installed", be careful. It say the client uses PSK, which is a pre-shared key and it is the public key normally contained in the certificate exposed by the server.
As I said in my lab works perfectly without certificate at client side.
I think there is a misunderstanding, in my lab, fortigate client doesn't have any client certificate, instead, it is compulsory the installation of a CA certificate on fortigate FW.
Indeed, if we analyzed the following statement at FortiGate Infrastructure 7.2 Study Guide (p.200):
"This configuration requires proper CA certificate installation as the SSL VPN client FortiGate/user uses PSK and a PKI client certificate to authenticate. The FortiGate devices must have the proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate."
The sentence say it necessary to install a certificate since the client use PSK and PKI but clearly on the server "must have the proper CA certificate installed", be careful. It say the client uses PSK, which is a pre-shared key and it is the public key normally contained in the certificate exposed by the server.
As I said in my lab works perfectly without certificate at client side.
Correct:
C. The client FortiGate uses the SSL VPN tunnel interface type to connect SSL VPN.
D. Server FortiGate requires a CA certificate to verify the client FortiGate certificate.
Incorrect:
A. The client FortiGate requires a client certificate signed by the CA on the server FortiGate.
B. The client FortiGate requires a manually added route to remote subnets. (dynamically)
FortiGate Infrastructure 7.2 Study Guide (p.200):
"The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type. When an SSL VPN client connection is established, the client dynamically adds a route to the subnets that are returned by the SSL VPN server."
"This configuration requires proper CA certificate installation as the SSL VPN client FortiGate/user uses PSK and a PKI client certificate to authenticate. The FortiGate devices must have the proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate."
Reference and download study guide:
https://ebin.pub/fortinet-fortigate-infrastructure-study-guide-for-fortios-72.html
Agreed that C and D are correct...But what about A ? Study Guide 7.2 Infra page 199 says client user users PSK and PKI.... I guess it's referring to a client user behind the client gate
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
warlusontheweb
1 month, 3 weeks agowarlusontheweb
1 month, 3 weeks agowarlusontheweb
1 month, 3 weeks agoraydel92
4 months, 1 week agodoncacciato62
1 year agodrumigue
1 year agoErojasXI
1 year, 1 month ago