FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bvagadia
Staff
Staff
Article Id 205112
Description

This article describes the situation when the FortiGate and FortiAnalyzer connectivity test fails.

Scope FortiGate.
Solution
  1. If the connection between the FortiGate and FortiAnalyzer is down, check the connectivity by ping.

  2. Do the connectivity test from the FortiGate by using the below command:

 

exec log fortianalyzer test-connectivity

 

If the output is the below error then take the sniffers:

 

Failed to get FAZ's status. SSL error. (-3)

 

Take the sniffers for the FortiAnalyzer IP and check the connection.

 

Capture shows that FortiAnalyzer sending RST back to FortiGate:

 

66.345323 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: syn 1195392681

66.345952 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: syn 1231566839 ack 1195392682

66.346003 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: ack 1231566840

66.346728 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: psh 1195392682 ack 1231566840

66.346857 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: psh 1231566840 ack 1195392682

66.346885 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: ack 1231567207

66.346990 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: ack 1195392843

66.347044 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: psh 1195392843 ack 1231567207

66.347382 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: ack 1195392850

67.349171 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: rst 1231567207 ack 1195392850  <----- FortiAnalyzer sending RST.

 

Check the FortiAnalyzer settings on the FortiGate by using the below command:

 

get log fortianalyzer setting

status: enable

ips-archive: enable

server: 10.34.199.143

enc-algorithm: high   

conn-timeout: 10

monitor-keepalive-period: 5

monitor-failure-retry-period: 5

certificate                  :

source-ip                    :

upload-option           : 5-minute <----- Upload logs every 5 minutes.

reliable: disable  <----- Logs are sent over UDP.

 

Note.

Remote FortiAnalyzer logging over UDP if reliable is disabled and TCP if reliable.

 

  1. Enable reliability for the FortiAnalyzer settings by the below command:

     

    config log fortianalyzer setting

        set reliable enable

     

  2. Make sure to verify if any certificate has been assigned and check the certificate on both sides, FortiAnalyzer and FortiGate if they have the same and are valid.


    On FortiGate:

     

    config log fortianalyzer setting
        set certificate "Fortinet_Factory"
    end

 

System -> Certificates.

 

community1.PNG

 

On FortiAnalyzerGo under System setting -> Certificates.

 

community2.PNG

 

  1. If one of the certificates between FortiAnalyzer and FortiGate did not have between those units, download the certificate from the unit that has the certificate and import the unit that did not have the certificate.