FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
koolishami
Staff
Staff
Article Id 402811
Description This article describes how to resolve the issue where the FortiSIEM Windows Agent installation fails on Windows Server 2012 R2, despite meeting .NET Framework and TLS 1.2 prerequisites. The root cause was traced to missing support for required SSL cipher suites on the server.
Scope FortiSIEM v7.x+
Solution

Root Cause:
The FortiSIEM Windows Agent installer attempts to establish a TLS connection to the Collector using cipher suites that require ECDHE or DHE key exchanges. The error produced in Trace.log:

 

[1] ERROR FortiSIEM.Webproxy.AOWebService - Register exception
System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.GetResponse()
at FortiSIEM.Common.Connection.sendReceive(Boolean isEvent, Byte[] bRequest, String method, String mimeType, String resource, Byte[]& bResponse)
at FortiSIEM.Webproxy.SuperManager.Register(String orgName, String orgId, String machineGuid, String agentVersion, String domain, String hostName, String hostIP, String vendor, String model, String osVersion, Boolean fExplicitHost, String& winDeviceId, String& winAgentId, String& winAgentPwd)
at FortiSIEM.Webproxy.AOWebService.Register(AORegister& aoRegister)

The server's existing cipher suite configuration lacked support for these modern ciphers, only listing deprecated RSA-based suites. Specifically:

  • The server only listed TLS_RSA_WITH_AES_128_CBC_SHA254.
  • The Collector required cipher suites such as ECDH+AESGCM or DH+AESGCM.
  • Additionally, the Cipher list on the Collector explicitly excluded SHA-1 (!SHA), further narrowing compatibility.

 

Steps to Resolve:

  1. Verify Collector Cipher Suite Requirements:
    On the FortiSIEM Collector:


grep '^SSLProtocol\|^SSLCipherSuite' /etc/httpd/conf.d/ssl.conf

 

Example output:

 

SSLProtocol -all +TLSv1.2 +TLSv1.3

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:!aNULL:!MD5:!DSS:!SHA

 

Update Windows Server Cipher Suite Order:
Modify the server's cipher suite policy to include a compatible suite:

 

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_RSA_WITH_AES_128_CBC_SHA254

 

Steps to Modify Cipher Suite Order on Windows Server 2012 R2:

  1. Open Group Policy Editor: Run gpedit.msc
  2. Navigate to: Computer Configuration -> Administrative Templates -> Network -> SSL Configuration Settings.
  3. Open SSL Cipher Suite Order: Double-click it and set it to Enabled
  4. In the Options section, paste the updated cipher suite order.
  5. Apply the changes and select 'OK'.
  6. Run gpupdate /force in an elevated command prompt.
  7. Reboot the server.

 

Result:
After rebooting, the FortiSIEM Windows Agent installation should be successful.

 

Related article:

Technical Tip: Windows Agent Registration with Supervisor Troubleshooting

Contributors