Created on
09-22-2023
01:14 AM
Edited on
09-22-2023
01:14 AM
By
Jean-Philippe_P
Description | This article describes the issue faced when FortiGate has the LENC (low encryption license) and trying to update the FortiGuard database and license with FortiManager as an FDS server. |
Scope | FortiOS. |
Solution |
CLI config:
FortiGate-100F # show system central-management
As in the FortiManager, the default enc-algorithm is set to high and also TLS version is high under the config fmupdate fds-setting in FortiManager.
Debugs when FortiGate with LENC and FortiManager with default settings (SSL handshake fails).
FortiGate-100F # diagnose debug application update -1 FortiGate-100F # diagnose debug enable FortiGate-100F # execute update-now FortiGate-100F # upd_daemon[1782]-Received update now request
In the above debugs it is possible to see that the SSL handshake is failing and getting a Fatal alert for the protocol version from FortiManager in the Wireshark.
Where: 172.X.X.4 is the FortiGate IP and 172.X.X.6 is the FortiManager IP.
So on verifying the setting in the FortiManager under config fmupdate fds-setting check the TLS version FortiManager is accepting for the downstream FortiGate devices.
In FortiManager there are 2 places to set the TLS version do not change the admin setting to access the GUI:
config sys global
set ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- For administrative login. set webservice-proto {sslv2 | sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- If web services are enabled (for API use). set fgfm-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- For use with FGFM tunnel with FortiGate. set ssl-low-encryption disable <----- Ensures that SSL low-grade encryption is disabled for the GUI.
For the downstream devices
config fmupdate fds-setting
set fds-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- Downstream with FortiGates & upstream with FortiGuard servers. Change the fds-ssl-protocol version according to the FortiGate LENC verifying with Wireshark and updating the database license and database.
Related article:
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.