Hi,
I am new here so I do not know to which location I should point this message.
We just upgraded our FortiGate firewalls in AWS and Azure to Firmware v7.0.14 build0601, and since then the configuration backup stopped in our monitoring system (Orion), and i am getting the following test results:
Error: Server signature does not match.
Test Id: e90dabd8-4fc0-4e5e-b28d-edabf52c0b4f
Engine Id: 4
Engine name:
Engine IP:
Remote host:
TEST LOG:
2/22/2024 8:37:00 PM: Setting WeOnlyDo properties
2/22/2024 8:37:00 PM: Starting connection procedure
2/22/2024 8:37:00 PM: State change detected: Disconnected -> Connecting
2/22/2024 8:37:00 PM: State change detected: Connecting -> Disconnected
2/22/2024 8:37:00 PM: Test connection procedure finished. Time elapsed: 00:00:00.4617603
2/22/2024 8:37:00 PM: Server signature does not match.
TEST PROPERTIES:
allocatePty : True
authentication : Password
encryptionList : aes128-ctr,aes128-cbc,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,chacha20-poly1305@openssh.com,rijndael-cbc@lysator.liu.se
encryptionMethod : encAny
exitSignal : Not Set
fingerPrintType : MD5
fips : False
forwardHost : Not Set
forwardPort : 0
hMacList : hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,none
hostname :
keepAlives : 0
keyExchangeList : diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ext-info-c
keyForwarding : False keySignatureList : rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss password :
port : 22
protocol : Ssh2
proxyHostname : Not Set
proxyLogin : Not Set
proxyPort : 1080
proxyType : ProxyNone
showStdErrorMessages : True
stripAnsi : True
subsystem : Not Set
terminalType : vt100 t
imeout : 20
username :
There is no configuration changed in Orion at all. Would you please help to resolve this issue.
Appreciate your help,
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello hyaqoob,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
I am running into the same issue with our NMS (LogicMonitor).
I was looking through the system events on the FortiGate and am seeing the following log repeated from our NMS:
"Negotiation failed: no matching host key type found. Their offer: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521."
It looks like the FortiGate's are only offering the following host keys after debugging the SSH process:
SSH: list_hostkey_types: rsa-sha2-512,ssh-ed25519
Per this article, after upgrading to 7.0.13 ssh-rsa was removed which may be what the NMS is using:
I was able to change the SSH library in LogicMonitor from jsch to sshj which resolved this for us.
Hi all,
Starting from 7.0.13, the FortiOS enforces strong cryptographics.
Therefore you have collateral fine tuning on the 3rd party tools that still uses weak crypto.
You may refer to that documentation for the changes :
We have disabled strong cyphers and allowed aes128-ctr as when connecting it was rejecting
following that documentation
https://docs.fortinet.com/document/fortigate/7.0.13/administration-guide/484445/fortigate-encryption...
Also, there are the few articles you may want to drop an eye to have a more comprehensive view:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-global-commands-for-stronger-an...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Cipher-suites-offered-by-FortiGate/ta-p/19...
Hope it helps
Cheers
Vincent
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.