Skip to main content
Moxeq
Moxeq
Explorer
July 18, 2024
Question

FortiGate Kills the connection to FMG

  • July 18, 2024
  • 2 replies
  • 1981 views

Hello Guys,

We are adding firewalls to be managed by the FMG.

we added all the branches firewalls to the FMG in the HQ, but weirdly the Branches firewall in the HQ which is the assembly point for our branches firewalls has a problem when we trying to add it to the FMG, although as I mentioned that all the firewalls that pass through it were added to the FMG.

I Captured the traffic between them and found that the Firewall it self kill the session "sending Fin to the FMG"

Find the two attached photos which shows the capture.

172.130.201.2 is the FGT  10.130.139.100 is the FMG

I tried to add source IP on the FortiGate config destined to FMG.

the policies should allow all the ports between them.

Any idea about that?

PcapFMG1.pngPcapFMG2.png

2 replies

AEK
SuperUser
AEK
SuperUser
July 18, 2024

Hi MoX

Which FMG & FGT versions please.

AEK
    Moxeq
    MoxeqAuthor
    Explorer
    July 18, 2024

    Hi AEK

    FGT is on 7.0.14 and FMG on 7.0.12 

    the other FGTs that had no issues were on the same version 7.0.14 also.

    FMG has license to manage 10 devices for now and currently 8 FGTs were added.

     

    sw2090
    SuperUser
    sw2090
    SuperUser
    August 6, 2024

    in fact it was a DPI issue that hit us with 7.0.14. It however never occured before 7.0.13/7.0.14. I guess Fortinet did some changes on the fgfm protocol (for security reasons since there was a cve) that brought that into affect. 

    However even fgfm debuglog neither on FMG nor FGT side gave a clue about that since there was no actual error message. You could thus check by e.g. doing dia debug app fgfmd 255 on FGT side.

    TAC had to provide two debug releases of 7.0.14 to us and only the second of those gave the clue we needed to find the culprit.

    So I recommend to check fgfm debug log and also check if on any policy that matches fgfm traffic between FMG and FGT (in BOTH directions) has SSL Deep Inspection active. If so remove it or create an extra policy for FGFM that matches first. That fixed it for us.

     

    Btw: sorry for the late reply but I was off for vacation for the last two weeks ;)

      Terms & ConditionsAccessibility statement