Certificate(s) has expired-fortinet-FortiOS

error
fortios
fortinet
Certificate(s) has expired-fortinet-FortiOS
0

#1

Certificate(s) has expired-fortinet-FortiOS

Vendor: fortinet

OS: FortiOS

Description:
Indeni will alert when a certificate has expired. Certificates that have expired more that a set number of days will be ignored. " +
"The threshold for the number of days after certificate expiration can be adjusted by the user.

Remediation Steps:
Renew any certificates that need to be renewed.
||
|1. Login via ssh to the Fortinet firewall and run the FortiOS command “get vpn certificate detail” to review the period for which the certificate is valid.
|2. Login via ssh to the Fortinet firewall and run the FortiOS command “get vpn certificate setting” to review the settings.
|3. Login via https to the Fortinet firewall and go to the menu System > Certificates tab to review the list of the certificates. Double click each certificate to get detailed information.
|4. For more information review the Fortinet Certification Configuration Guide: http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-authentication-54/Certificates.htm
|5. If the problem persists, contact Fortinet Technical support at https://support.fortinet.com/ for further assistance.

How does this work?
Using SSH to access the Fortinet device and retrieve the X.509 “valid to” field for all “local” device certificates. If the time in this field is within a certain threshold of days, Indeni raises an alert. Note that this script does not currently validate the Fortinet’s category of “remote” certificates. It does check all “local” and root CA certificates.

Why is this important?
An expired SSL certificate should cause any “request” involving that certificate to fail. This could cause a variety of problems: the failure of HTTPS requests, failure of SSL/TLS web traffic inspection, the failure of X.509 certificate-based VPN tunnels, etc. SSL certificates should be renewed ahead of time.

Without Indeni how would you find this?
An administrator could manually check the certificate expiration dates by using the Fortinet web GUI or by logging in to the device via SSH and manually running the necessary commands.

fortios-get-vpn-certificate-local-details

#! META
name: fortios-get-vpn-certificate-local-details
description: Check device X.509 certificates to see whether or not they will expire soon
type: monitoring
monitoring_interval: 59 minutes
requires:
    vendor: fortinet
    os.name: FortiOS
    product: firewall
    vdom_enabled: false

#! COMMENTS
certificate-expiration:
    why: |
        An expired SSL certificate should cause any "request" involving that certificate to fail. This could cause a variety of problems: the failure of HTTPS requests, failure of SSL/TLS web traffic inspection, the failure of X.509 certificate-based VPN tunnels, etc. SSL certificates should be renewed ahead of time.
    how: |
        Using SSH to access the Fortinet device and retrieve the X.509 "valid to" field for all "local" device certificates. If the time in this field is within a certain threshold of days, Indeni raises an alert. Note that this script does not currently validate the Fortinet's category of "remote" certificates.  It does check all "local" and root CA certificates.
    without-indeni: |
        An administrator could manually check the certificate expiration dates by using the Fortinet web GUI or by logging in to the device via SSH and manually running the necessary commands.
    can-with-snmp: false
    can-with-syslog: false

#! REMOTE::SSH
get vpn certificate local details
get vpn certificate ca detail

#! PARSER::AWK

# 1) Fortinet has three "categories" of certs (displayed in the Web UI):  local, remote, and external.
#  It also stores (trusts) many root CA certificates (just like a web browser). This script currently checks
#  all of the local, external, and trusted CA certificates.  We haven't been able to get the "remote" certificates
#  yet -- the data is available from the CLI, but we need "nested config" support from Indeni to get the data.
# 2) AWK is mangling some Unicode of a few certificate names in the live config -- see this Crowd topic:
#  https://community.indeni.com/discussions/topics/46563?page=0.  On my test device, there are only 3 such certs, and
#  they're near the bottom of a long list in the live config.
# 3) Also in the live config, the timezone for the cert expiration date is incorrect. I think this is an Indeni bug.
#  See Crowd topic: https://community.indeni.com/discussions/topics/46573?page=0

#Name:        Fortinet_CA_SSL
/Name:/ {
    certName = $2
    certTags["name"] = certName
}

#Valid to:    2019-05-24 13:15:35  GMT
/Valid to:/ {
    expiresDate = $3
    expiresTime = $4
    split(expiresDate, expiresDateArr, "-")
    split(expiresTime, expiresTimeArr, ":")
    expirationDateTime = datetime(expiresDateArr[1], expiresDateArr[2], expiresDateArr[3], expiresTimeArr[1], expiresTimeArr[2], expiresTimeArr[3])
    writeDoubleMetricWithLiveConfig("certificate-expiration", certTags, "gauge", 0, expirationDateTime, "Certificates Expiration", "date", "name")
}

RuleMetadata

.builder(
  "cross_vendor_certificate_has_expired
package com.indeni.server.rules.library.crossvendor

import com.indeni.apidata.time.TimeSpan
import com.indeni.apidata.time.TimeSpan.TimePeriod
import com.indeni.ruleengine.expressions.conditions.{And, GreaterThan, LesserThan}
import com.indeni.ruleengine.expressions.core.{StatusTreeExpression, _}
import com.indeni.ruleengine.expressions.data.{SelectTagsExpression, _}
import com.indeni.ruleengine.expressions.math.PlusExpression
import com.indeni.ruleengine.expressions.utility.NowExpression
import com.indeni.server.common.data.conditions.True
import com.indeni.server.params.ParameterDefinition
import com.indeni.server.params.ParameterDefinition.UIType
import com.indeni.server.rules._
import com.indeni.server.rules.library.core.PerDeviceRule
import com.indeni.server.rules.library.{ConditionalRemediationSteps, RuleHelper}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class CrossVendorCertificateHasExpiredRule(context: RuleContext) extends PerDeviceRule with RuleHelper {

  private val highThresholdParameterName = "Effective_Duration_Threshold"
  private val highThresholdParameter = new ParameterDefinition(highThresholdParameterName,
                                                               "",
                                                               "Effective_Duration_Threshold",
                                                               "How long before expiration should Indeni alert.",
                                                               UIType.TIMESPAN,
                                                               TimeSpan.fromDays(30))

  override val metadata: RuleMetadata = RuleMetadata
    .builder(
      "cross_vendor_certificate_has_expired",
      "All Devices: Certificate(s) has expired",
      "Indeni will alert when a certificate has expired. Certificates that have expired more that a set number of days will be ignored. " +
        "The threshold for the number of days after certificate expiration can be adjusted by the user.",
      AlertSeverity.ERROR
    )
    .configParameter(highThresholdParameter)
    .build()

  override def expressionTree: StatusTreeExpression = {
    val actualValue = TimeSeriesExpression[Double]("certificate-expiration").last.toTimeSpan(TimePeriod.SECOND)

    StatusTreeExpression(
      // Which objects to pull (normally, devices)
      SelectTagsExpression(context.metaDao, Set(DeviceKey), True),
      // What constitutes an issue
      StatusTreeExpression(
        // The additional tags we care about (we'll be including this in alert data)
        SelectTagsExpression(context.tsDao, Set("name"), withTagsCondition("certificate-expiration")),
        StatusTreeExpression(
          // The time-series we check the test condition against:
          SelectTimeSeriesExpression[Double](context.tsDao, Set("certificate-expiration"), denseOnly = false),
          // The condition which, if true, we have an issue. Checked against the time-series we've collected
          And(
            LesserThan(
              actualValue,
              NowExpression()
            ),
            GreaterThan(
              PlusExpression[TimeSpan](actualValue, getParameterTimeSpanForTimeSeries(highThresholdParameter)),
              NowExpression()
            )
          )
          // The Alert Item to add for this specific item
        ).withSecondaryInfo(
            scopableStringFormatExpression("${scope(\"name\")}"),
            scopableStringFormatExpression("Expired on %s", timeSpanToDateExpression(actualValue)),
            title = "Affected Certificates"
          )
          .asCondition()
      ).withoutInfo().asCondition()
    ).withRootInfo(
      getHeadline(),
      ConstantExpression("One or more certificates has expired. See the list below."),
      ConditionalRemediationSteps("Renew any certificates that need to be renewed.",
        ConditionalRemediationSteps.VENDOR_CP ->
          """Please review:
            |<a target="_blank" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104400">Solution sk104400 on Check Point Support Center</a>
            |and the articles to which it links at the bottom.""".stripMargin,
        ConditionalRemediationSteps.VENDOR_PANOS ->
          """Please review this article on Palo Alto Networks Support Site:
            |<a target="_blank" href="https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/certificate-management/revoke-and-renew-certificates">Revoke and Renew Certificates</a>.""".stripMargin,
        ConditionalRemediationSteps.VENDOR_FORTINET ->
          """
            |1. Login via ssh to the Fortinet firewall and run the FortiOS command “get vpn certificate <X> detail”  to review the period for which the certificate is valid.
            |2. Login via ssh to the Fortinet firewall and run the FortiOS command “get vpn certificate setting” to review the settings.
            |3. Login via https to the Fortinet firewall and go to the menu System > Certificates tab to review the list of the certificates. Double click each certificate to get detailed information.
            |4. For more information review the Fortinet Certification Configuration Guide: http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-authentication-54/Certificates.htm
            |5. If the problem persists, contact Fortinet Technical support at https://support.fortinet.com/ for further assistance.""".stripMargin
      )
    )
  }
}