SuperUser

Solved

FortiManager deployment problems after FGT Upgrade to 7.0.14

Forum|Forum|2 years ago
February 16, 2024
17 replies
10722 views

I did the following:

- upgraded FMG to 7.0.11 while the FGT still were on 7.0.13 => everything still worked fine afterwards

- upgraded the FGT to 7.0.14 during the next night (scheduled) => since then FGT keep losing the connection to FMG when I deploy policy package or device config. Results in the deployment timing out after some time.

During a TAC session it helped to reboot FMG (and perform fsck on it with that) and then retrieving config of FGT and then deploy it. After this deploying of policy package worked fine until now.

Now just deployed the device config only on a FGT and it got disconnected from FMG again...

However they come back after some time...

Best answer by sw2090

got the new interim FOS build yesterday and it finally seems to have broought us to the right path.

This build finally outputted an additional message saying that the FMG certificate could not be re-verfified by the fgt because of the issuer. And that issue gave me the clue I needed to finally find the culprit.

It was in fact DPI in effect on the FGT to FMG policies. This was set long time ago and it never caused issues until fos 7.0.14. Since 7.0.14 this is an issue.

Once I disabled DPI on those policies everything came back up and works fine again.

Show previous replies

sw2090Author

SuperUser

I meanwhile also assume it is not a certificate issue as reported before. I saw a FGT throwing the exact same certificate error in FGFM debug log but the reason it did not come online in FMG was that the FGT IP in FMG was wrong in this single case.

I also have gotten an interim build of 7.0.14 for FGT100F that has more debugging capabilities. It even provides me with shell access to the os itself. But even that does not give me enough information to find the culprit.

sw2090Author

SuperUser

I have to admit that TAC did provide me the bug it but I've overseen it in the ticket :\

Here it is;

1004231 - 1460: After upgrading FGT from 7.0.13 to 7.0.14, start loosing FMG connections because of fatal unknown CA

AEK

SuperUser

Thanks for the update.

So you have the $1M FOS version (shell access). Try take full advantage of it :)

AEK

sw2090Author

SuperUser

yeah and I got it for free :)

sw2090Author

SuperUser

TAC said I'm gonna get a new interim FOS build for further debugging. Developers are still doing some sanity tests before I get it.

Issue is still pending bugfix...

sw2090AuthorAnswer

SuperUser

got the new interim FOS build yesterday and it finally seems to have broought us to the right path.

This build finally outputted an additional message saying that the FMG certificate could not be re-verfified by the fgt because of the issuer. And that issue gave me the clue I needed to finally find the culprit.

It was in fact DPI in effect on the FGT to FMG policies. This was set long time ago and it never caused issues until fos 7.0.14. Since 7.0.14 this is an issue.

Once I disabled DPI on those policies everything came back up and works fine again.

AEK

SuperUser

Thanks for sharing.

So how to do if you want to configure deep inspection?

AEK

sw2090Author

SuperUser

either do not enable it on policies for the FMG<->FGT connection or make sure that all FGT have the issuer ca you use for deep inspection so they can still verify FMG's certificate.

sw2090Author

SuperUser

The biggest thing with this is that the usuall FGFM Debuglogs don't show you the actual certificate.

It just reports the CAs and the error itself.

Only the last interim build reported the actuall certificate.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded