According to theFortiClient EMS Administrator Study Guide (7.2/7.4 versions)and theFortinet Document LibraryregardingSSL/TLS Endpoint Communication Security, the primary attribute verified during the SSL connection negotiation to mitigate Man-in-the-Middle (MITM) attacks is theCommon Name (CN).
1. SSL Connection Negotiation & MITM Mitigation
Verification Process: When FortiClient attempts to establish aTelemetry connectionwith the FortiClient EMS server, an SSL handshake occurs. To ensure it is communicating with the legitimate server and not a malicious interceptor (MITM), FortiClient verifies the server's certificate.
Role of the Common Name (CN): TheCommon Name(or theSubject Alternative Name - SAN) in the certificate must match theFQDN (Fully Qualified Domain Name)or theIP addressthat the client intended to connect to.
Security Enforcement: If the CN/SAN does not match the server's expected address, FortiClient will detect a discrepancy. Depending on theInvalid Certificate Actionsetting in the profile (e.g., Warn or Block), it will prevent the establishment of a secure session to stop the MITM attacker from masquerading as the EMS server.
2. Why Other Options are Incorrect/Secondary
A. Serial Number (SN): While every certificate has a unique Serial Number, it is primarily used by the Certificate Authority (CA) for tracking and revocation purposes. While FortiOS 7.2.4+ can use SN for certain restricted VPN checks, the core SSL negotiation mechanism for identifying a specific host to prevent spoofing relies on theCN/SANfields.
C. Location (L) and D. Organization (O): These are descriptive fields within the certificate'sSubjectthat provide geographical and corporate information. They are not functionally used by the SSL/TLS protocol to verify the identity of the host during the connection negotiation or to mitigate MITM attacks.
3. Curriculum References
EMS Administration Guide (System Settings Profile): Details how the client verifies the EMS server certificate. It specifies that for a connection to be trusted, the server address must align with the certificate's identity fields (CN/SAN).
FortiGate/FortiOS 7.2.4 New Features: Highlights the specific enhancement where FortiClient EMS connectors now "trust EMS server certificate renewals based on theCN field" to ensure continuous secure communication.
