Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppardeshi
Staff
Staff

Created on ‎02-27-2023 09:19 PM

Article Id 247412

Technical Tip: FortiGate HA shows out of sync after upgrading to 7.2.4 build 1396 due to checksum mismatch for endpoint-control.fctems

Description This article describes that FortiGate HA shows out of sync after upgrading to 7.2.4 build 1396 due to a checksum mismatch for endpoint-control.fctems.
Scope FortiGate v7.2.4.
Solution

A new feature and a CLI toggle of 'set trust-ca-cn' was added in 7.2.4 firmware to address the issue of automatic certificate renewal that happens on the FortiClient EMS cloud every 3 months.

Because of this renewal, the connection between FortiGate and to EMS cloud is interrupted when renewal.

 

This enhancement adds a new CLI option for each FortiClient EMS connector (trust-ca-cn). This option is enabled by default. When enabled, the Certificate Authority (CA) & Common Name (CN) information is stored with the connector, which allows the FortiGate to automatically approve an updated certificate so long as it has the same CA & CN.

 

For some CA with special characters in the CA name, this does not work as the secondary unit of the FortiGate HA cluster does not sync the CA name and throws an 'XSS vulnerability characters' error. 


Example:

Non-working Scenario when the CA has a \' in its name. 

 

FGVM04TM22-----2 # config endpoint-control item
FGVM04TM220-----2 (fctems) # edit 1
FGVM04TM22-----2 (1) # show
config endpoint-control fctems
    edit 1
        set status enable
        set name "ems"
        set server "10.0.10.200"
        set https-port 10443
        set serial-number "FCTEMS8822-----0"
        set tenant-id "00000000000000000000000000000000"
        set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api tenant-id

        set  ca-cn-info "C = US, O = Let\'s Encrypt, CN = R3*.yvrlab.us"

The string contains XSS vulnerability characters

value parse error before 'C = US, O = Let'
Command fail. Return code -173

 

In Working Scenario, when the special characters are removed from the CA name, it works.

 

# config endpoint-control fctems
    edit 1
        set status enable
        set name "ems"
        set server "10.0.10.200"
        set https-port 10443
        set serial-number "FCTEMS8822-----0"
        set tenant-id "00000000000000000000000000000000"
        set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api tenant-id
        set ca-cn-info "C = US, O = Lets Encrypt, CN = R3*.yvrlab.us"
next

 

To disable  "set trust-ca-cn", "config endpoint-control fctems" in firmware 7.2.4 GA 

 

Example:

 

# config endpoint-control fctems
    edit 1
        set trust-ca-cn  disable
    end

 

The issue is addressed and resolved in Firmware 7.2.5 and 7.4.0.
3330
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.