- When the FortiGuard default servers are used for the license update or the database update, it is used FortiManager as the FDS server.
- So there are two ways in case the FortiManager is failing to update then it can be updated by the FortiGuard Default server in the settings enabled in central management.
CLI config:
FortiGate-100F # show system central-management config system central-management set type fortimanager set fmg "172.x.x.x" config server-list edit 1 set server-type update rating set server-address 172.x.x.x next end set fmg-update-port 443 set include-default-servers disable -> by default this is enabled. end
- When the include-default-servers is disabled then FortiGate has to get updates only from the FortiManager.
- By default, the enc-algorithm is set to high for normal licenses, but for the LENC FortiGate license, it is set to low.
- So when the FortiGate tries to communicate with the FortiManager it tries low encryption like sslv3/TLS1.0.
As in the FortiManager, the default enc-algorithm is set to high and also TLS version is high under the config fmupdate fds-setting in FortiManager.
Debugs when FortiGate with LENC and FortiManager with default settings (SSL handshake fails).
FortiGate-100F # diagnose debug application update -1 Debug messages will be on for 30 minutes.
FortiGate-100F # diagnose debug enable
FortiGate-100F # execute update-now
FortiGate-100F # upd_daemon[1782]-Received update now request upd_daemon[1508]-Found cached action=00000002 do_update[492]-Starting now UPDATE (final try) upd_comm_connect_fds[458]-Trying FMG 172.x.x.x:443 [113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default) [755] ssl_ctx_create_new_ex: SSL CTX is created [782] ssl_new: SSL object is created [1001] ssl_connect: SSL_connect failes: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version ssl_connect_fds[392]-Failed SSL connecting (6,0,TLS/SSL connection has been closed) [203] __ssl_data_ctx_free: Done [1046] ssl_free: Done [195] __ssl_cert_ctx_free: Done [1056] ssl_ctx_free: Done upd_comm_connect_fds[476]-Failed SSL connect do_update[504]-UPDATE failed upd_fds_create_list[1159]-trying remote fds without default FortiGuard servers mgmt_vd_change_notif[39]-Detected tz change 4->84 upd_daemon[1759]-Received setup request upd_daemon[1508]-Found cached action=00000001 do_setup[343]-Starting SETUP upd_comm_connect_fds[458]-Trying FMG 172.x.x.x.:443 [113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default) [755] ssl_ctx_create_new_ex: SSL CTX is created [782] ssl_new: SSL object is created [1001] ssl_connect: SSL_connect failes: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version ssl_connect_fds[392]-Failed SSL connecting (6,0,TLS/SSL connection has been closed) [203] __ssl_data_ctx_free: Done [1046] ssl_free: Done [195] __ssl_cert_ctx_free: Done [1056] ssl_ctx_free: Done upd_comm_connect_fds[476]-Failed SSL connect do_setup[355]-Failed setup
In the above debugs it is possible to see that the SSL handshake is failing and getting a Fatal alert for the protocol version from FortiManager in the Wireshark.
Where: 172.X.X.4 is the FortiGate IP and 172.X.X.6 is the FortiManager IP.
So on verifying the setting in the FortiManager under config fmupdate fds-setting check the TLS version FortiManager is accepting for the downstream FortiGate devices.
In FortiManager there are 2 places to set the TLS version do not change the admin setting to access the GUI:
config sys global set ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- For administrative login. set webservice-proto {sslv2 | sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- If web services are enabled (for API use). set fgfm-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- For use with FGFM tunnel with FortiGate.
set ssl-low-encryption disable <----- Ensures that SSL low-grade encryption is disabled for the GUI.
For the downstream devices
config fmupdate fds-setting set fds-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- Downstream with FortiGates & upstream with FortiGuard servers.
Change the fds-ssl-protocol version according to the FortiGate LENC verifying with Wireshark and updating the database license and database.
Related article:
|