Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

JohnMacDonald
New Contributor

Created on ‎09-02-2021 02:28 PM

FortiSIEM Collector (6.3) and TLS not working

Hello,

We have followed the instructions to use  Syslog TLS: https://docs.fortinet.com/document/fortisiem/6.3.1/external-systems-configuration-guide/136807/syslo... However while the TLS port 6514 is open and responsive the connection does not complete the TLS handshake. I have verified that the collector is configured for using TLS1.3, if we test the localhost built in certificate on port 443 it is successful. We have verified the client can connect to the TCP port 6514.

e.g.

Successful:
openssl s_client -connect servername.com:443 -debug

Fails:
openssl s_client -connect servername.com:6514 -debug


We have been researching and testing with openssl commands to verify the certificate, but when we run any tests against the TCP 6514 it hangs at "CONNECTED(00000003)" and never finishes. The self-signed cert we generated appears good.

Has anyone else encountered this issue, or have suggestions?

Regards,

John
Labels:
651
0 Kudos
2 REPLIES 2
KenMick
Staff
Staff

Created on ‎09-03-2021 08:28 AM

Hi John,

I just ran through this on a 6.3.0 and it seems to be working perfectly.

openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout /etc/pki/tls/private/tls-collector1.key -out /etc/pki/tls/certs/tls-collector1.crt

chmod 640 /etc/pki/tls/private/tls-collector1.key

chown root:admin /etc/pki/tls/private/tls-collector1.key

chmod 644 /etc/pki/tls/certs/tls-collector1.crt​

Then edit /opt/phoenix/config/phoenix_config.txt and update these two lines
 
tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

tls_key_file=/etc/pki/tls/private/tls-collector1.key


Finally, execute this command and wait for the phParser process to recover
killall -9 phParser


Afterwards, validate

echo -n | openssl s_client -connect localhost:6514


------------------------------
Ken
------------------------------
[FirstName]
[JobTitle]
613
JohnMacDonald
New Contributor
In response to KenMick

Created on ‎09-17-2021 07:59 AM

Ken,

Appreciate you testing the steps and confirm that they worked. I ended up creating a new certificate and this time it worked. The troubleshooting
took awhile as the actual error was not in any SSL logs in Linux but in the phoenix log. Hopefully using TLS over TCP to forward syslog-ng logs
will work.

Thanks again.

John
613
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.