FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mpankovski_FTNT
Description
This article provides troubleshooting steps in the case where a FortiGate cannot be accessed via HTTPs 443 port after an upgrade to 5.2.x

Scope
Upgrade to FortiGate v5.2.x

Solution
In order to check why the unit cannot be accessed on https port 443 use debugging on https daemon

# diag debug application httpsd -1
# diag debug enable

# [httpsd 1551 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1550 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] SSL_accept failed
[httpsd 1550 - 1464100331] http_log.c[439] log_error_core -- [Tue May 24 14:32:11 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1551 - 1464100332] http_log.c[439] log_error_core -- [Tue May 24 14:32:12 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100332] http_log.c[439] log_error_core -- [Tue May 24 14:32:12 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1550 - 1464100333] http_log.c[439] log_error_core -- [Tue May 24 14:32:13 2016] [error] SSL_accept failed
[httpsd 1550 - 1464100333] http_log.c[439] log_error_core -- [Tue May 24 14:32:13 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1551 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1550 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] SSL_accept failed
[httpsd 1550 - 1464100334] http_log.c[439] log_error_core -- [Tue May 24 14:32:14 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[httpsd 1551 - 1464100335] http_log.c[439] log_error_core -- [Tue May 24 14:32:15 2016] [error] SSL_accept failed
[httpsd 1551 - 1464100335] http_log.c[439] log_error_core -- [Tue May 24 14:32:15 2016] [error] error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

If the output is similar to the example above then tlsv1-0 should be enabled.

A new global system parameter was added in FortiOS v5.2.3.  This parameter, with the default setting, restricts access to TLS V 1.1 and TLS V 1.2 only.

New default setting with FortiOS release v5.2.3:
FGT-1 #
config system global

FGT-1
(global) # get
admin-concurrent : enable
admin-console-timeout: 0
admin-https-pki-required: disable
admin-https-redirect: disable
admin-https-ssl-versions: tlsv1-1 tlsv1-2 <---{ New default setting
admin-lockout-duration: 60
admin-lockout-threshold: 3

The available options for HTTPS SSL versions are TLS 1.0, TLS 1.1, TLS 1.2, and SSLV3.

The following command can be used to add
tlsv1-0:
FGT-1 # config system global
FGT-1(global) # append admin-https-ssl-versions tlsv1-0

Contributors