证书过期触发器

简介

证书过期触发器(Certificate expiration trigger)可以在本地证书即将过期时触发自动化流程。可配置证书到期前(自定义天数0~100,默认14天)触发。

只针对本地证书分类中的证书(如用户证书或带私钥的Sub CA)生效。

config vpn certificate setting 
    set cert-expire-warning <integer>    //设置本地证书到期前触发告警的天数,范围0~100天,默认14天// 
end

网络需求

当设备的本地证书的到期时间前1天,触发自动化流程,将本地证书即将过期的系统事件日志发送至指定邮箱。

配置步骤

  1. 在Security Fabric→自动化中新建自动化工作流,触发条件选择预置的Local Certain Expired Notification(也可以手动创建该触发器),动作选择发送邮件至指定邮箱。

    image-20240313105339090

    config system automation-trigger
        edit "Local Cert Expired Notification"
            set event-type local-cert-near-expiry
        next
    end
    
    config system automation-action
        edit "Action_Email"
            set action-type email
            set email-to "bbai@fortinet.com"
            set email-from "DoNotReply@notification.fortinet.net"
            set email-subject "CSF stitch alert"
            set replacement-message enable
        next
    end
    
    config system automation-stitch
        edit "certificate-near-expiry"
            set trigger "Local Cert Expired Notification"
            config actions
                edit 1
                    set action "Action_Email"
                    set required enable
                next
            end
        next
    end
    
  2. 配置证书过期提醒为过期前1天。

    config vpn certificate setting 
        set cert-expire-warning 1
    end
    
  3. 在FortiGate查看即将过期的用户证书、SubCA证书、CA证书(剩余有效期2天)。

    image-20240313105734206

结果验证

  1. 证书即将过期的触发日志如下,可以看到证书的过期倒数时间<2天后,就会产生证书即将过期的日志,并触发配置的自动化流程。

    image-20240313105946555

  2. 收到的邮件内容如下,只有本地证书(用户证书、Sub CA)可以触发该自动化,CA证书不会触发。

    image-20240313110016184

    image-20240313110134066

  3. 查看autod进程的debug信息,可以看到Email动作被触发。

    FortiGate (global) # diagnose debug application autod -1 
    __action_email_hdl()-181: email action (Action_Email) is called. 
    from:DoNotReply@notification.fortinet.net 
    to:bbai@fortinet.com; 
    subject:CSF stitch alert
    
  4. 查看该自动化流程的的配置和触发统计(使用2可以看统计和配置)。

    FortiGate (global) # diagnose test application autod 3
    stitch: certificate-near-expiry 
    
            local hit: 3 relayed to: 0 relayed from: 0
            last trigger:Mon Jul  3 10:12:00 2023
            last relay:
            actions:
                    Action_Email:
                            done: 3 relayed to: 0 relayed from: 0
                            last trigger:Mon Jul  3 10:12:00 2023
                            last relay:
    log category to stitch mapping:
    id:22207 local hit: 3 relayed hits: 0
            certificate-near-expiry
    
  5. 当证书的剩余时间小于1天时,产生的证书即将过期日志中,剩余时间为0天。

    image-20240313110619716

    image-20240313110645286

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2024-03-14 14:19:18

results matching ""

    No results matching ""