Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bvagadia
Staff
Staff

Created on ‎02-19-2022 04:39 AM Edited on ‎01-04-2023 10:11 PM By Community Manager

Article Id 205112

Technical Tip: Connectivity issue between FortiGate and FortiAnalyzer (SSL Error)

Description

This article describes the situation when FortiGate and FortiAnalyzer connectivity test fails.
Scope FortiGate.
Solution

1) If the connection between the FortiGate and FortiAnalyzer is down, check the connectivity by ping.

 

2) Do the connectivity test from the FortiGate by using the below command:

 

# exec log fortianalyzer test-connectivity

 

If the output is the below error then take the sniffers:

 

Failed to get FAZ's status. SSL error. (-3)

 

Take the sniffers for the FortiAnalyzer IP and check the connection,

 

Capture shows that FortiAnalyzer sending RST back to FortiGate:

 

Capture shows that FortiAnalyzer sending RST back to FortiGate:

 

66.345323 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: syn 1195392681

66.345952 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: syn 1231566839 ack 1195392682

66.346003 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: ack 1231566840

66.346728 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: psh 1195392682 ack 1231566840

66.346857 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: psh 1231566840 ack 1195392682

66.346885 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: ack 1231567207

66.346990 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: ack 1195392843

66.347044 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: psh 1195392843 ack 1231567207

66.347382 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: ack 1195392850

67.349171 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: rst 1231567207 ack 1195392850  <----- FortiAnalyzer sending RST.

 

Check the FortiAnalyzer settings on the FortiGate by using the below command:

 

# get log fortianalyzer setting

status: enable

ips-archive: enable

server: 10.34.199.143

enc-algorithm: high   

conn-timeout: 10

monitor-keepalive-period: 5

monitor-failure-retry-period: 5

certificate                  :

source-ip                    :

upload-option           : 5-minute <----- Upload logs. every 5 minutes.

reliable: disable  <----- Logs are sent over UDP.

 

Note.

Remote FortiAnalyzer logging over UDP if reliable is disabled and TCP if reliable.

 

3) Enable reliable for the FortiAnalyzer settings by below command:

 

# config log fortianalyzer setting

    set reliable enable

 

4) Make sure to verify is any certificate has been assigned and Check certificate on both side, FortiAnalyzer and FortiGate if they have same and valid.


On FortiGate:

 

# config log fortianalyzer setting
    set certificate "Fortinet_Factory"
end

 

System -> Certificates.

 

Nur_0-1645358554174.png

 

On FortiAnalyzer:


System setting -> Certificates.

 

Nur_1-1645358554859.png

 

5) If one of the certificates between FortiAnalyzer and FortiGate did not have between those units, download the certificate from the unit that has the certificate and import the unit that did not have the certificate.
6905
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.