FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
aebadi
Staff
Staff
Article Id 307174
Description This article describes how to fix a Collector upgrade through the GUI when encountering with the error 'unzip failed 127'.
Scope

FortiSIEM v6.4.0 or higher.

Solution

During an attempt to upgrade the collector, the following error appears when looking through the error logs: 'unzip failed 127'.

 

There are 2 locations for collector upgrade logs to find out why the collector failed :

  1. /usr/local/upgrade/logs/ansible.log
  2. /opt/phoenix/log/collector-upgrade.log

Before running the upgrade, run some checks to make sure the Collector is healthy enough to attempt the upgrade:

  1. Super and Collectors are in a healthy state.
  2. The Collector can Discover devices.
  3. The DNS servers need to be able to resolve and reach update.fortiguard.net

nmap update.fortiguard.net - p 443

curl -kv https://update.fortiguard.net

 

Example of a correct output :

 

curl -kv https://update.fortiguard.net
* Rebuilt URL to: https://update.fortiguard.net/
* Trying 173.243.138.67...
* TCP_NODELAY set
* Connected to update.fortiguard.net (173.243.138.67) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=FDS; CN=fds1.fortinet.com; emailAddress=support@fortinet.com
* start date: Dec 14 17:46:55 2023 GMT
* expire date: Jun 11 17:46:55 2024 GMT
* issuer: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=Certificate Authority; CN=support; emailAddress=support@fortinet.com
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/1.1
> Host: update.fortiguard.net
> User-Agent: curl/7.61.1
> Accept: */*
>
* Empty reply from server
* Connection #0 to host update.fortiguard.net left intact
curl: (52) Empty reply from server

 

If the response is not expected and a proxy is used, then configure the configuration for the use of a proxy:

 

Resources -> Malware Domains -> FortiGuard Malware Domain -> More -> Use Proxy.

 

Update Foritigaurd ProxyUpdate Foritigaurd Proxy

 

  1. The host file needs to have FQDN hostnames for both Supervisor and Collector (on each Collector).
  2. It is better to have all the updates in place before the upgrade.

yum update

 

  1. Verify if the Collector Image made it to the super and with the correct hash:

cd /opt/phoenix/CollectorUpgrade/

ls -l

sha256sum FSM_Upgrade_All_6.5.0_build1511.zip

02af9c4f870a95e6ee2b2c4493b4a6b14afd47f9862c5176509b25717608ae65 FSM_Upgrade_All_6.5.0_build1511.zip

 

Change the upgrade image to the image used for the upgrade.

Example:

 

sha256sum Your-FSM-Version-Upgrade

 

  1. After the Download portion is complete for the Collector upgrade, verify that the Hash matches on the Collector:

cd /opt/upgrade/

ls -l

sha256sum FSM_Upgrade_All_6.5.0_build1511.zip

 

  1. If everything is correct and the following error, 'unzip failed 127' appears, update the correct package and retry the upgrade:

yum install p7zip