Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
heng
Staff
Staff

Created on ‎09-29-2023 12:08 AM

Article Id 276668

Technical Tip: FortiGate FIPS-CC enabled with system event log of 'IP address mismatch'

Description

 

This article describes how FortiGate with FIPS-CC enabled is not able to send a log to FortiAnalyzer with an SSL connection failed with the following error in the system event logs.

 

Log message: Certificate is invalid, subject: /C=MY/ST=KL/L=KL/O=Fortinet/OU=Fortinet/CN=faz.fortinet.local/emailAddress=fazfmg@fortinet.com

Reason: IP address mismatch.

Raw Log: date=2023-09-28 time=23:09:23 eventtime=1695967762949367293 tz="-0700" logid="0100038410" type="event" subtype="system" level="information" vd="root" logdesc="SSL connection failed" dstip=N/A dstport=N/A reason="IP address mismatch" action="info" status="failure" msg="Certificate is invalid, subject: /C=MY/ST=KL/L=KL/O=Fortinet/OU=Fortinet/CN=faz.fortinet.local/emailAddress=fazfmg@fortinet.com"

 

Scope

 

FortiGate (FIPS-CC enabled), FortiAnalyzer.

 

Solution

 

  1. For FortiGate FIPS-CC enabled to send log to FortiAnalyzer, it is required to follow the configuration requirement in the following article: Technical Tip: FortiGate FIPS-CC enabled to send log to FortiAnalyzer.

  2. For this particular SSL error message mentioned above, it is simply the FortiGate CLI config: set server FQDN does not match the CN name of the custom server certificate in the FortiAnalyzer. From the error log, the FortiAnalyzer has the server certificate of CN=faz.fortinet.local.

  3. Run CLI in FortiGate to check the connectivity.

    FGT-74 # exe log fortianalyzer test-connectivity
    Failed to get FAZ's status. SSL error. (-3)

  4. Cross-check the local FortiGate's to FortiAnalyzer config, found out that the set server is set with the IP address. 

    config log fortianalyzer setting
        set status enable
        set server "10.47.88.99"
        set certificate-verification disable
        set upload-option realtime
        set reliable enable
    end

  5. Correcting the set server to FQDN should fix the issue. FortiGate must be able to resolve the set server FQDN by using DNS.

    config log fortianalyzer setting
        set status enable
        set server "faz.fortinet.local"
        set certificate-verification disable
        set upload-option realtime
        set reliable enable
    end

    If the FortiAnalyzer FQDN is not able to resolve with DNS, it will prompted with the following error when it is being configured.

    FGT-74 # config log fortianalyzer setting
    FGT-74 (setting) # set server "faz.fortinet.local"
    Unknown host: faz.fortinet.local

    6. Wait for a minute or two for the OFTP connection to establish. Run the CLI again in FortiGate to check the connectivity. The counter for Tx and Rx values should be increased in the CLI output.

 

FGT-74 # execute log fortianalyzer test-connectivity
FortiAnalyzer Host Name: FAZ-74
FortiAnalyzer Adom Name: root
FortiGate Device ID: FGVM08TM99999999
Registration: registered
Adom Disk Space (Used/Allocated): 704606411B/53687091200B
Analytics Usage (Used/Allocated): 651080306B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 4/60 Days
Archive Usage (Used/Allocated): 53526105B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 4/365 Days
Log: Tx & Rx (17 logs received since 23:39:10 09/28/23)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx

1133
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.