FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asengar
Staff
Staff
Article Id 275297
Description This article describes the issue faced when FortiGate has the LENC (low encryption license) and trying to update the FortiGuard database and license with FortiManager as an FDS server.
Scope FortiOS.
Solution
  • When the FortiGuard default servers are used for the license update or the database update, it is used FortiManager as the FDS server.
  • So there are two ways in case the FortiManager is failing to update then it can be updated by the FortiGuard Default server in the settings enabled in central management.

 

CLI config:

 

FortiGate-100F # show system central-management
    config system central-management
        set type fortimanager
        set fmg "172.x.x.x"
            config server-list
                edit 1
                    set server-type update rating
                    set server-address 172.x.x.x
                next
            end
        set fmg-update-port 443
        set include-default-servers disable    -> by default this is enabled.
end

 

  • When the include-default-servers is disabled then FortiGate has to get updates only from the FortiManager.
  • By default, the enc-algorithm is set to high for normal licenses, but for the LENC FortiGate license, it is set to low.
  • So when the FortiGate tries to communicate with the FortiManager it tries low encryption like sslv3/TLS1.0.

As in the FortiManager,  the default enc-algorithm is set to high and also TLS version is high under the config fmupdate fds-setting in FortiManager.

 

Debugs when FortiGate with LENC and FortiManager with default settings (SSL handshake fails).

 

FortiGate-100F # diagnose debug application update -1
Debug messages will be on for 30 minutes.

FortiGate-100F # diagnose debug enable

FortiGate-100F # execute update-now

FortiGate-100F # upd_daemon[1782]-Received update now request
upd_daemon[1508]-Found cached action=00000002
do_update[492]-Starting now UPDATE (final try)
upd_comm_connect_fds[458]-Trying FMG 172.x.x.x:443
[113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[755] ssl_ctx_create_new_ex: SSL CTX is created
[782] ssl_new: SSL object is created
[1001] ssl_connect: SSL_connect failes: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
ssl_connect_fds[392]-Failed SSL connecting (6,0,TLS/SSL connection has been closed)
[203] __ssl_data_ctx_free: Done
[1046] ssl_free: Done
[195] __ssl_cert_ctx_free: Done
[1056] ssl_ctx_free: Done
upd_comm_connect_fds[476]-Failed SSL connect
do_update[504]-UPDATE failed
upd_fds_create_list[1159]-trying remote fds without default FortiGuard servers
mgmt_vd_change_notif[39]-Detected tz change 4->84
upd_daemon[1759]-Received setup request
upd_daemon[1508]-Found cached action=00000001
do_setup[343]-Starting SETUP
upd_comm_connect_fds[458]-Trying FMG 172.x.x.x.:443
[113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[755] ssl_ctx_create_new_ex: SSL CTX is created
[782] ssl_new: SSL object is created
[1001] ssl_connect: SSL_connect failes: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
ssl_connect_fds[392]-Failed SSL connecting (6,0,TLS/SSL connection has been closed)
[203] __ssl_data_ctx_free: Done
[1046] ssl_free: Done
[195] __ssl_cert_ctx_free: Done
[1056] ssl_ctx_free: Done
upd_comm_connect_fds[476]-Failed SSL connect
do_setup[355]-Failed setup

 

In the above debugs it is possible to see that the SSL handshake is failing and getting a Fatal alert for the protocol version from FortiManager in the Wireshark.

 

FMG.png

 

Where: 172.X.X.4 is the FortiGate IP and 172.X.X.6 is the FortiManager IP.

 

So on verifying the setting in the FortiManager under config fmupdate fds-setting check the TLS version FortiManager is accepting for the downstream FortiGate devices.

 

In FortiManager there are 2 places to set the TLS version do not change the admin setting to access the GUI:

 

config sys global
    set ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2}  <----- For administrative login.
    set webservice-proto {sslv2 | sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- If web services  are enabled (for API use).
    set fgfm-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- For use with FGFM tunnel with FortiGate.
    set ssl-low-encryption disable <----- Ensures that SSL low-grade encryption is disabled for the GUI.
 
For the downstream devices
config fmupdate fds-setting
    set fds-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2}  <----- Downstream with FortiGates & upstream with FortiGuard servers.
 
Change the fds-ssl-protocol version according to the FortiGate LENC verifying with Wireshark and updating the database license and database.
 
Related article: