Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mpankovski_FTNT
Staff
Staff

Created on ‎06-16-2016 05:41 AM

Article Id 193976

Technical Note: Unable to access FortiGate via HTTPs 443 port after upgrade to 5.2.x

Description
This article provides troubleshooting steps in the case where a FortiGate cannot be accessed via HTTPs 443 port after an upgrade to 5.2.x

Scope
Upgrade to FortiGate v5.2.x

Solution
In order to check why the unit cannot be accessed on https port 443 use debugging on https daemon

# diag debug application httpsd -1
# diag debug enable

# [httpsd 1551 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1550 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] SSL_accept failed
[httpsd 1550 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1551 - 1464100332] http_log.c[439] log_error_core -- [Tue May 24 14:32:12 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100332] http_log.c[439] log_error_core -- [Tue May 24 14:32:12 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1550 - 1464100333] http_log.c[439] log_error_core -- [Tue May 24 14:32:13 2016] [error] SSL_accept failed
[httpsd 1550 - 1464100333] http_log.c[439] log_error_core -- [Tue May 24 14:32:13 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1551 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1550 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] SSL_accept failed
[httpsd 1550 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1551 - 1464100335] http_log.c[439] log_error_core -- [Tue May 24 14:32:15 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100335] http_log.c[439] log_error_core -- [Tue May 24 14:32:15 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

If the output is similar to the example above then tlsv1-0 should be enabled.

A new global system parameter was added in FortiOS v5.2.3.  This parameter, with the default setting, restricts access to TLS V 1.1 and TLS V 1.2 only.

New default setting with FortiOS release v5.2.3:
FGT-1 #
config system global

FGT-1
(global) # get
admin-concurrent : enable
admin-console-timeout: 0
admin-https-pki-required: disable
admin-https-redirect: disable
admin-https-ssl-versions: tlsv1-1 tlsv1-2 <---{ New default setting
admin-lockout-duration: 60
admin-lockout-threshold: 3

The available options for HTTPS SSL versions are TLS 1.0, TLS 1.1, TLS 1.2, and SSLV3.

The following command can be used to add tlsv1-0:
FGT-1 # config system global
FGT-1(global) # append admin-https-ssl-versions tlsv1-0

Labels:
13143
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.