Secure connection for firewall web GUI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Secure connection for firewall web GUI

L4 Transporter

Hello,

I want to make a secure connection for the firewall GUI access. therefore I perform the below task:-

 

I imported the wildcard certificate in the firewall and the same certificate attached in SSL/TLS profile ( This is 3rd party certificate get by DigiCert).

Then the SSL/TLS profile is configured for management settings.

for troubleshooting purposes, i imported the certificate into the client machine as well.

 

I did the above configuration and access to the firewall with a different browser like  - IE, chrome, edge, firefox but all browser is showing the connection is not secure.

 

I have two doubts:-

 

 1- My wild certificate name is abc.com.jk which resolves my internal DNS 10.10.10.10 and my management IP address is 192.168.1.1 - Anything wrong with this or it is correct?

 

2 - I noticed that the certificate that I received from DigiCert its not a CA below is the image for reference- The Certificate should be the CA to make a secure connection?

 

 

Jafar_Hussain_0-1635421220462.png

 

can anyone have suggestions on this?

 

 

 

3 REPLIES 3

Cyber Elite
Cyber Elite

Hi @Jafar_Hussain 

 

Certificate warning could be caused by couple of reasons. It will be usefull to see the exact error that browser return - it should point you in correct direction. It could be either the issuer is not trusted, the address you use in the URL is not matching what is in the certificate, etc.

 

But I want to make some clarifications as it seems you make some wrong assumptions:

- Certificate Authority (CA) certificate is need to validate the server certificate that server provide to you when you connect to it. In your case firewall is acting as server (because its web interface is actually a web server). Which means that your firewall needs a server certificate and the corresponding private key with it.

- You don't have to import that certificate to the browser cert store. Again this certificate is the server cert that FW will send to you when you try to connect to it, in oder to validate its identity to you. So you need to know how to trust this information, which is the purpose of the CA. You what you need is the CA that has signed the server (firewall) cert to be in your browser Trusted Publisher/Root CA certificate store. Looking at your screenshot it seems you use public CA, that should already be trusted by all browsers.

- I am bit confuse, because you said you use wildcard certificate while you said the "wild certificate name is abc.com.jk" Wildcard certificate should include a start "*" at the begining , like *.com.jk. Can you explain a bit more what you ment as it possible that this is your reason for ssl warning

@Astardzhiev 

 

We import wild card certificate *.abc.com.jk.

one more test I did, I generate a self-sign certificate and attached in SSL /TLS profile then the same SSL/TLS profile configure for the Management Interface.

Then i found the login page was secure but i don't want to use the self-sign certificate. i want to use a 3rd party certificate but not able to find the cause of this issue.

 

Regards,

Jafar Hussain

Hey @Jafar_Hussain ,

 

If using self-signed certificate works without issues, I am guessing you are applying the correct steps.

I am starting to believe that you have troubles with the "multilevel" wildcard certificate. This means that:

- I you have wildcard for *.abc.com.jk, this certificate is valid for any host, but only for that level:

- examples of hostnames from same level are: firewall.abc.com.jk, test.abc.com.jk, vpn.abc.com.jk

- example of hostnames that will are not part of this sub-domain, and will give ssl error: west.firewall.abc.com.jk, abc.com.jk, zzz.com.jk, firewall.com.jk

 

If you certificate is *.abc.com.jk, what is the hostname you use for the fw mgmt? also - when you try to access the mgmt interface, are using the IP address or the FQDN in the web browsers addressbar?

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!