Hi all, I hope you can help me. I'm having an issue with our FortiManager and a conflict which is preventing us from getting the firewall to a synchronised state. Below is the ssl-ssh-profile and the configuration which it is trying to push, the problem is that this command doesn't exist on the FG CLI. Does anyone now how I can remove this CLI configuration? I have tried un-selecting but it automatically add tls-1.1 back into the settings, it's very annoying and although it doesn't stop us from pushing our dynamic policy and other configuration it will never been show synchronized due to this conflict. Many thanks, Dan.

Explorer III

Question

FortiManager - Pushing CLI Configuration Which Doesn't Exist

Forum|Forum|1 year ago
May 3, 2025
4 replies
5430 views

Hi all,

I hope you can help me.

I'm having an issue with our FortiManager and a conflict which is preventing us from getting the firewall to a synchronised state. Below is the ssl-ssh-profile and the configuration which it is trying to push, the problem is that this command doesn't exist on the FG CLI.

Screenshot 2025-05-03 170211.jpg Screenshot 2025-05-03 170334.jpg

Does anyone now how I can remove this CLI configuration? I have tried un-selecting but it automatically add tls-1.1 back into the settings, it's very annoying and although it doesn't stop us from pushing our dynamic policy and other configuration it will never been show synchronized due to this conflict.

Many thanks,

Dan.

dingjerry_FTNT

Staff

Hi Dan,

What is your ADOM version? What is your FGT firmware version?

dingjerry_FTNT

Staff

Oh, if you have no ADOM enabled on your FMG, what is your FMG firmware version?

Dan_Eng52Author

Explorer III

Hi dingjerry_FTNT,

I hope you're well.

Yes, I have ADOM configured currently the versions are:

ADOM Version: 7.6.3

FortiGate Version: 7.4.7

I have just upgraded the FortiManager to 7.6.3 as I was having multiple issues related to installation targets not working on dynamic firewall policies as well as local-in issues as FMG did not work with the SD-WAN zones are source interface.

Thankfully the policy issue is resolved now but this issue as presented itself. Please see full error below:

Install Error.jpg

It is because the CLI command doesn't exist on the firewall, but I have yet to find a way to remove this from the 'CLI Configuration' section in FMG so that it doesn't push this configuration out.

Thank you for your help.

Dan.

dingjerry_FTNT

Staff

And it's better to provide your installation error message from FMG.

I mean the whole error message.

sw2090

SuperUser

accoarding to a statement from taC that I got with annother issue I think you ran into the same problem.

Your ADOM is on 7.6 while your FGT is still on 7.4. FMG provides you all options of 7.6 but does not care for your FGT Version here. I had the same with ISDB Entries. I could select Entries that existed only in 7.2 and cannot be deployed to an FGT that still was on 7.0.

I think the same happens here: min-allowed-ssl-version (or its parameters) is an option coming from 7.6 and due to that does not exist in 7.4.

Accoarding to TAC in my case that is wanted behaviour...

dingjerry_FTNT

Staff

"I think the same happens here: min-allowed-ssl-version (or its parameters) is an option coming from 7.6 and due to that does not exist in 7.4."

This is not true.

My FGT is running V7.4.5 GA and it does have the "min-allowed-ssl-version" setting.

Meanwhile, the FortiOS 7.4.7 CLI reference guide has it:

https://docs.fortinet.com/document/fortigate/7.4.7/cli-reference/116695140/config-firewall-ssl-ssh-profile

@Dan_Eng52 , you did not share what your SSL SSH Profile settings. You may share it from your FGT config.

My guess is that the status of FTPS is disabled. This might be why you couldn't configure the "min-allowed-ssl-version" setting.

You may also log into your FGT directly and check whether it has that setting via CLI.

Dan_Eng52Author

Explorer III

Hi @dingjerry_FTNT

I hope you're well.

Please see below, in the CLI I do not have the set min-allowed-ssl-version but I do see that it is in the CLI reference document that you provided for 7.4.7 which is odd.

Is this something that has to be enabled in order for these commands to be listed within the CLI? I tried to have a look, but I couldn't see an explicit 'enable' command or similar to do so.

Let me know if you want to see any other settings within my ssl-ssh-profile in order to confirm.

Thanks,

Dan.

sw2090

SuperUser

Strange. Accoarding to https://docs.fortinet.com/document/fortigate/7.2.0/cli-reference/319620/config-firewall-ssl-ssh-profile the option exists even in FOS 7.2.

Hence you didn't post the original error - could it be that it didn't complain about min-allowed-ssl-version not existing but didn't accept your TLS version?

Did you try to roll out with the default tls-v1-1? Did that work?

Did you disable tls versions so they are not available on your FGT?

Dan_Eng52Author

Explorer III

Hey @sw2090,

Thanks for your response.

It's very weird, I have tried within FortiManager setting the min-allowed-ssl-version to tls-v1-1 but unfortunately it gave me the same error. It seems as though my problem is that the command doesn't exist in the CLI of my FGT although it's clear from the CLI reference guide that it should be there.

I'm thinking that there must be something that is required to 'enable' these commands to be displayed within the CLI, but I haven't uncovered this yet.

Thanks,
Dan.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded