Skip to main content
Owen_Air
Owen_Air
New Member
October 18, 2023
Question

Forti-Analyzer : SSL Error with D & E Series Fortigate

  • October 18, 2023
  • 3 replies
  • 6935 views

Hi There, 

 

I have a Forti-Analyzer hosted in azure running V7.4.1 most the D series and some E series firewalls are not able to connect to the FAZ and there's an SSL error generated on test and in the system logs.

 

I do have other models which don't have the issue, I have 58 devices in total (60E, 61F, 81F, 60F, VM64 - Azure) 

 

The firewalls which are having issues are on the following versions -

 

60D | 6.0.17 Build0528 (GA)

80E | 6.0.16 Build0505 (GA)

90D | 6.0.16 Build0505 (GA)

 

 

 

The error message generated in the system logs of the firewalls are as follows. 

 

Log Description FortiAnalyzer connection failed

Action connect
Status failure
Reason ssl_connect() failed: 1

Event
Message Failed to connect FortiAnalyzer "IP Removed"


Log event original timestamp 1697620251
Log ID 22903
Sub Type system

 

 

3 replies

AEK
SuperUser
AEK
SuperUser
October 18, 2023

Hi Owen

 

On your FortiGate:

config log fortianalyzer setting

Then try change the below parameters to a higher security.

enc-algorithm
ssl-min-proto-version

 

AEK
Owen_Air
Owen_AirAuthor
New Member
October 18, 2023

Hi There, 

 

here are the current settings. 

# show
config log fortianalyzer setting
set status enable
set server "IP REDACTED"
set ssl-min-proto-version SSLv3
set reliable enable
end

 

Owen_Air
Owen_AirAuthor
New Member
October 18, 2023

Still getting the same problem. 

AEK
SuperUser
AEK
SuperUser
October 18, 2023

Hi

Please share this output:

config log fortianalyzer setting
  get
  set enc-algorithm ?
  set ssl-min-proto-version ?

 

AEK
Owen_Air
Owen_AirAuthor
New Member
October 19, 2023

Hi There, 

Please see the fortigate setting:

 

unit6 # config log fortianalyzer setting

(setting) # get
status : enable
ips-archive : enable
server : IP REDACTED
enc-algorithm : high
ssl-min-proto-version: SSLv3
conn-timeout : 10
monitor-keepalive-period: 5
monitor-failure-retry-period: 5
certificate :
source-ip :
upload-option : 5-minute
reliable : enable

Owen_Air
Owen_AirAuthor
New Member
October 19, 2023

Faz Side :

 

(global)# get
ssl-low-encryption : enable
ssl-protocol : tlsv1.3 tlsv1.2

(central-management)# get
get
type : fortimanager
allow-monitor : enable
fmg : (null)
enc-algorithm : default
authorized-manager-only: enable
serial-number :

Terms & ConditionsAccessibility statement