Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
theFWdude
New Contributor

FortiSIEM Login Errors

All,

My MSP vendor who uses FortiSIEM rebuilt their collector due to a serious crash this week.  One of my FortiGates is currently logging this error: Administrator "FortiSIEM" login failed from ssh(1.1.1.1) because of invalid ssh key; This alert fires off a "Failed Login" alert in my FAZ and is driving me crazy.  The collector actually logs in and out just fine; I don't understand why I'm getting this alert. 

 

The only difference between this FortiGate and my other FortiGates is that it's currently running 5.6.6, the rest are 5.6.3.  Anyone else seeing this? 

 

My failed login alerts have been disabled due to alert fatigue. 

-TFWD

-TFWD
3 REPLIES 3
DJ
New Contributor

@theFWdude: did you get a response? Solution? Have the same issue...

DJ

 

Admin Network Security

RISQ

DJ Admin Network Security RISQ
theFWdude
New Contributor

Apologies for the delay. Unfortunately, the FortiSIEM is manged by a vendor of ours who was able to resolve the issue(s) with Fortinet Support. I wish I had some details to provide, but I do not.

-TFWD

-TFWD
saxon

It's a bit late, but in case anyone else finds this:

 

I'm willing to bet it's because you have an HA pair and Fortigate devices have the SSH key, not the cluster. So the software connecting to your pair saved the key when one of the devices was master and now the other one is master it's freaking out because of the key change.

 

If so, remove and save the line in your ~/.ssh/known_hosts for the device (search by its IP and/or hostname), reconnect and save the new key, then edit known_hosts and add the old key back in. Nnow you have two lines, one for each key, so it shouldn't care which is master.

Labels
Top Kudoed Authors