Skip to main content
mayar
mayar
New Member
September 30, 2024
Question

set banned-cipher prevents pushing the device configuration on trial Fortigate VM

  • September 30, 2024
  • 6 replies
  • 6742 views

Hi there,

 

I'm having issue in a lab (build by me) that i've created with trial version of FortiGate VMs (x2), FortiManager (x1) and FortiAnalyzer (x1).

I've added two FortiGates to the FortiManager, and everything was working without issues, untill the first device installation.

The FortiManager keeps showing error in the installation of device configuration, after digging around, i found out that the issue occurs because of the "set banned-cipher" command. This command seems to be not available in the trial fortivm, and in the FortiManager I wasn't able to remove the setting from the CLI configuration (because it requires at least 1 cipher that has to be banned).

The running versions of the devices are;

FortiGate VMs KVM 7.4.4 build 2662 (Feature)

FortiManager v7.4.3-build2487 240514 (GA)

FortiAnalyzer (while it doesn't have to do with the issue) v7.4.3-build2487 240514 (GA)

2024-09-30 15_08_25-gns3@gns3vm - TightVNC Viewer.png2024-09-30 15_09_18-gns3@gns3vm - TightVNC Viewer.png2024-09-30 15_11_04-gns3@gns3vm - TightVNC Viewer.png

 

When i deselect the banned-cipher and click apply (in the CLI configuration of the device) the ciphers SHA1, SHA256 and SHA384 are reselected again!

2024-09-30 15_17_02-gns3@gns3vm - TightVNC Viewer.png

Did anyone encounter this issue?

is there a solution for this issue?

6 replies

dbhavsar
Staff
dbhavsar
Staff
September 30, 2024

Hello @mayar ,

 

- Have you tried manually configuring this on FortiGate?

mayar
mayarAuthor
New Member
September 30, 2024

Hi,

I've tried to configure the setting thorugh the CLI on the Fortigate, but the whole command seems not to exist, it might have to do with the fact that the Fortigates have trial licenses. But I'm not sure.

dbhavsar
Staff
dbhavsar
Staff
September 30, 2024

Hello @mayar,

Just to confirm, is there any VDOMs configured in your FortiGate?

 

mayar
mayarAuthor
New Member
October 6, 2024

Does anyone have the answer to my question?

I would really appreciate it!

Polarbearsnow
Polarbearsnow
New Member
October 19, 2024

Did you ever figure this out? Currently having the same issue in my lab!

    mayar
    mayarAuthor
    New Member
    October 19, 2024

    I wasn't able to solve the issue, but I found a workaround to at least go throught the labs.

    You can retrieve the config from the device and then make changes and push the changes to the device, you'll probably then get the out of sync flag, but the changes will be pushed.

    That's the only way that I was able to find.

    Let's hope Fortinet is going to do something about this issue

    thebas
    thebas
    Visitor III
    November 7, 2024

    Hello!

     

    Same issue here, regarding the workaround, how did you "retrieve the config from the device, made necessary changes and pushed to the device" ?

     

    Thanks!

    AmedBoti
    AmedBoti
    New Member
    November 11, 2024

    Guys, any update on this issue?

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    November 11, 2024

    I dont think its an issue per-say more a limitation of the trial VM, those params might not apply.

    https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/441460/permanent-trial-mode-for-fortigate-vm

    • Support for low encryption operation only, except for GUI management access and FortiManager communications

     

    "jack of all trades, master of none"
    AmedBoti
    AmedBoti
    New Member
    November 11, 2024

    I see now, it must be that.. well not much to operate and enjoy together with fortimanager.

    roquexz
    roquexz
    Visitor III
    January 28, 2025

    Hi,

     

    I had the same error. The only solution that I found was always retrieve the configuration to have my FortiGate sync

     

    First run the command: diagnose dvm device list

    If the status is out-of-sync you will need to retrieved the FortiGate configurations.

     
     

    Captura de tela 2025-01-28 083517.png

     

    To retrieve the configuration you go to Device Manager > Device & Groups and select your device.

    Then go to Dashboard: Summary and scroll down to Configuration and Instalation.

     

    Captura de tela 2025-01-28 084009.png

     

    Then click in Retrieve Config and done.

     

    roquexz
    roquexz
    Visitor III
    February 9, 2025

    Hi Guys. I found the solution. You need to disable the VPN SSL on your FortiGate on CLI.

     

    config vpn ssl settings

    set status disable

    end

     

    Then retrieve the configuration to your FortiManager and this error is done.

    Rub_aprendicia
    Rub_aprendicia
    Explorer
    March 5, 2025

    Hi, i have the same problem.

     

    Sorry but the problem is not fixed with this commands.

     

    The config synchs OK because make the revert config. BUT, if you push another change from the fortimanager to the fortigate, the conflict error appears again.

     

    Thanks for your help, 

    And,   the problems is not fixed yet

      X-Ray1337
      X-Ray1337
      New Member
      February 23, 2026

      same in my case, i disabled via cli on FortiGate, do config revert + import config and it looks on CLI Status "unchecked" but tried again to install the banned cipher... any idea?

       

      Screenshot 2026-02-23 213205.png

      Screenshot 2026-02-23 212633.pngScreenshot 2026-02-23 212554.pngScreenshot 2026-02-23 212351.png

      Terms & ConditionsAccessibility statement