Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssanga
Staff
Staff

Created on ‎11-19-2024 09:31 PM Edited on ‎11-21-2024 11:38 PM By Community Manager

Article Id 358721

Technical Tip: 'fortiguard-anycast' Setting is Automatically Disabled When Accessing the FortiGuard Page on GUI

Description This article explains a known issue where the 'fortiguard-anycast' setting is automatically disabled when navigating to the FortiGuard page on the FortiGate GUI.
Scope FortiGate v7.4.5.
Solution

When navigating to the FortiGuard page on the FortiGate GUI, the 'fortiguard-anycast' setting is automatically disabled.

However, no event is logged in the System events to indicate this change.


Errors related to failed certificate verification are observed in both the 'updated' debugs and System events, as shown below:
(this error happens only when 'fortiguard-anycast' is disabled):

 

Debugs:


2024-11-06 12:16:38 [362] __ssl_crl_verify_cb: Cert error 19, self-signed certificate in certificate chain. Depth 2
2024-11-06 12:16:38 [1421] SSL_dump_handshake_err: Certificate failed verification. Error: 19 (self-signed certificate in certificate chain), depth: 2, subject: /C=US/ST=Californ
ia/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=fortinet-ca2/emailAddress=support@fortinet.com.
2024-11-06 12:16:38 [1063] ssl_connect: SSL_connect failes: error:0A000086:SSL routines::certificate verify failed
2024-11-06 12:16:38 [870] tcps_connect: 173.243.138.76:443 -- ret -1, state 0x7(Failed) -> 0x7(Failed)
2024-11-06 12:16:38 [877] tcps_connect: tcps_connect failed: ssl_connect() failed: 0 (error:00000000:lib(0)::reason(0))
2024-11-06 12:16:38 [501] fds_https_connect: https_connect(173.243.138.76:443) failed: ssl_connect() failed: 0 (error:00000000:lib(0)::reason(0)).
2024-11-06 12:16:38 [667] fds_https_stop_server: 173.243.138.76:443

System Events:


date=2024-11-06 time=12:16:47 eventtime=1730870206122770022 tz="+0700" logid="0100038410" type="event" subtype="system" level="information" vd="root" logdesc="SSL connection failed" dstip=N/A dstport=N/A reason="self-signed certificate in certificate chain" action="info" status="failure" msg="Certificate is invalid, subject: /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=fortinet-ca2/emailAddress=support@fortinet.com"
date=2024-11-06 time=12:16:38 eventtime=1730870198817422451 tz="+0700" logid="0100038410" type="event" subtype="system" level="information" vd="root" logdesc="SSL connection failed" dstip=N/A dstport=N/A reason="self-signed certificate in certificate chain" action="info" status="failure" msg="Certificate is invalid, subject: /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=fortinet-ca2/emailAddress=support@fortinet.com"

The development team is investigating this issue. Once a fix is available, the article will be updated with the latest information.

Logs required by FortiGate TAC for investigation.

  1. Debugs:

 

diagnose debug application updated -1
diagnose debug console timestamp enable
diagnose debug enable
<reproduce the issue>
diagnose debug reset

  1. TAC Report:


execute tac report

 

  1. Configuration file of the FortiGate.
  2. FortiGate Support Tool data: Troubleshooting Tip: Collect GUI slowness and errors debugs via FortiGate Support Tool
181
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.