|
When configuring an IP Address Threat Feed with server-identity-check set to basic or full, the feed connection fails with the error 'Server not reachable'. This occurs even if the CA certificate has been properly imported into the FortiGate.
config system external-resource
edit "ip"
set type address
set username "xyz"
set password ******
set resource "https://lab.fortinet.com/files-auth-need/Domain-auth.txt"
set server-identity-check <basic|full>
set refresh-rate 1
next
end
The following errors may appear in Forticron debug logs, which indicate an SSL certificate verification failure during the handshake, where the Forticron daemon is unable to validate the server’s certificate, resulting in a failed connection attempt:
diagnose debug app forticron 0xf00
diagnose debug console timestamp enable
diagnose debug enable
http_request_make()-2236: HTTP request: https
GET /files-auth-need/Domain-auth.txt HTTP/1.1
Host: lab.fortinet.com
User-Agent: curl/7.58.0
Authorization: Basic c2FtbXk6MTIzNDU2
Accept: */*
Connection: close
__update_ext()-282: Updating EXT 'ip' with HTTP
__http_resolv_cb()-2026: ssl set SNI 'lab.fortinet.com'
ext_update_result()-361: HTTP result=1: __http_connect() tcps_connect(172.16.200.X) failed: ssl_connect() failed: 167772294 (error:0A000086:SSL routines::certificate <<<<<<<
__http_stop()-777: Close http connect: __http_connect
This issue has been resolved in:
These timelines for firmware release are estimates and may be subject to change.
Workaround:
Disable server-identity-check using the commands below.
config system external-resource
edit <>
unset server-identity-check
next
end
Related articles:
Troubleshooting Tip External connector threat feed connection
Technical Tip External threat list threat feed is not working
|
