Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
_mribwan
Staff
Staff

Created on ‎01-01-2025 01:51 PM

Article Id 367714

Troubleshooting Tip: Troubleshooting FortiSOAR connector connection to FortiGate

Description This article describes how to troubleshoot a FortiSOAR connector having issues connecting to FortiGate.
Scope FortiSOAR, FortiGate.
Solution

FortiSOAR requires the following in order to connect to FortiGate:

 

  • HTTPS access to the FortiGate interface (default port 443).
  • REST API admin with the API KEY configured on FortiSOAR. 
  • A FortiSOAR IP to be configured as Trust Host if the other admin is configured as Trust Host.
  • If multi-VDOM is enabled: 
  1. A VDOM interface IP is required in the Hostname section on FortiSOAR. 
  2. On FortiGate, a network interface is used to in the specified VDOM, with its own IP address and separate subnets, different from the global or root VDOM.

More information : https://docs.fortinet.com/document/fortisoar/5.3.0/fortinet-fortigate/863/fortinet-fortigate-v5-3-0 

 

Troubleshooting steps :

 

First, ensure FortiGate receives the traffic from FortiSoar and is allowing the traffic via debug flow:

 

diagnose sniffer packet any "<FortiSoar IP>" 4 0 l

diagnose debug flow filter address <FortiSoar IP>

diagnose debug flow show function enable
diagnose debug flow iprope enable
diagnose debug flow trace start 100
diagnose debug enable

 

Stop the process with the following command:

 

diagnose debug disable

 

Scenario 1:

Traffic flows from one interface to another on FortiGate. A firewall policy is required to allow it.

 

Example: Traffic from FortiSOAR comes in via IPsec tunnel and is destined towards Port3 interface.

 

Create a firewall policy on FortiGate to allow the traffic from the IPsec tunnel to Port3.

 

Scenario 2:

Traffic is being denied after checking on iPrope 10000f (for Administrative traffic allowed based on the interface allows access).

 

Debug flow result:


id=65308 trace_id=8497 func=__iprope_check line=2290 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000801, flag2-00000000"
id=65308 trace_id=8497 func=iprope_policy_group_check line=4694 msg="after check: ret-matched, act-drop, flag-00000801, flag2-00000000"
id=65308 trace_id=8497 func=fw_local_in_handler line=606 msg="iprope_in_check() check failed on policy 0, drop"

 

Verify that the REST API Admin is configured with the correct FortiSoar IP as Trust Host. Ensure that the IP is seen under: 

 

diagnose firewall iprope list 10000f | grep source

 

More information is available in Technical Tip: iPrope policies group.

 

If the FortiSoar IP is not appearing after configuring it under Trust Host, consult with TAC by opening a ticket with the above information collected.
Labels:
213
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.