Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
willow
New Contributor III

Can't Connect to Fortianalyser Cloud after Upgrade

We have just upgraded our 100F from 7.0.17 to 7.4.9 with 7.0 going end of support.

It upgraded to 7.2 and then to 7.4

 

Everything seems to work fine with the exception of FortiAnalyzer Cloud. It's refusing to connect and send logs. We did upgrade the FAZ from 7.4 to 7.6.4 however it hasn't seemed to make any difference and both versions seem to support our Fortigate version. I have also removed the device and re-added it to FA Cloud still with no luck. 

 

There's no access issues that I know of

 

# exec ping fortianalyzer.forticloud.com
PING fortianalyzer.forticloud.com.geo.fortinet.net (154.52.2.161): 56 data bytes
64 bytes from 154.52.2.161: icmp_seq=0 ttl=52 time=20.6 ms
64 bytes from 154.52.2.161: icmp_seq=1 ttl=52 time=20.5 ms
64 bytes from 154.52.2.161: icmp_seq=2 ttl=52 time=20.5 ms
64 bytes from 154.52.2.161: icmp_seq=3 ttl=52 time=20.5 ms
64 bytes from 154.52.2.161: icmp_seq=4 ttl=52 time=20.5 ms

--- fortianalyzer.forticloud.com.geo.fortinet.net ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 20.5/20.5/20.6 ms

 

 

The only clue is an error with SSL

 

exec log fortianalyzer-cloud test-connectivity
Failed to get FortiAnalyzer Cloud's status. SSL error. (-3)

 

However I'm at a loss as to what to try next. 

 

Any help appreciated :)

1 Solution
MT-DSG

Hello Bill,

Regarding the same issue, instead of changing the global setting, I modified the FortiAnalyzer Cloud logging configuration directly:

 

config log fortianalyzer-cloud setting

set status enable

set ssl-min-proto-version TLSv1-3

end

 

The FortiGate is now able to send logs and retrieve the FortiAnalyzer's serial number.

Thank you for your help

View solution in original post

23 REPLIES 23
BillH_FTNT

Hi @MT-DSG 

This is a nice approach. Thanks

Bill

willow
New Contributor III

Hi Bill

 

Just upgraded to 7.4.9 to try the above and it's now connecting.

 

I'm assuming that whatever mismatch in the SSL versions has been sorted on Fortis  Side. 

BillH_FTNT

Hi @willow 

I believe our engineering team is currently working on a similar issue to yours.
In the meantime, could you try the method that MT-DSG suggested above?

"

Regarding the same issue, instead of changing the global setting, I modified the FortiAnalyzer Cloud logging configuration directly:

 

config log fortianalyzer-cloud setting

set status enable

set ssl-min-proto-version TLSv1-3

end

 

The FortiGate is now able to send logs and retrieve the FortiAnalyzer's serial number.

Thank you for your help"

 

Regards

Bill

willow
New Contributor III

Hi Bill

 

That was the plan, however when I upgraded to 7.4.9 yesterday to try this Fortianalyzer connected first time with no issues or drama. 

 

fixed.jpg

 

I can change the setting, however I don't know if it would be indicative of anything. 

 

FORTIGATE (setting) # show full-configuration
config log fortianalyzer-cloud setting
    set status enable
    set ips-archive disable
    set certificate-verification enable
    set serial "FAZVCLTMXXXXXXX"
    set preshared-key ''
    set access-config enable
    set enc-algorithm high
    set ssl-min-proto-version default
    set conn-timeout 10
    set monitor-keepalive-period 5
    set monitor-failure-retry-period 5
    set certificate ''
    set source-ip ''
    set interface-select-method auto
    set upload-option realtime
    set priority default
    set max-log-rate 0
end

 

I am assuming the issue was fixed somehow over the weekend. 

 

Kind Regards

 

 


@BillH_FTNT wrote:

Hi @willow 

I believe our engineering team is currently working on a similar issue to yours.
In the meantime, could you try the method that MT-DSG suggested above?

"

Regarding the same issue, instead of changing the global setting, I modified the FortiAnalyzer Cloud logging configuration directly:

 

config log fortianalyzer-cloud setting

set status enable

set ssl-min-proto-version TLSv1-3

end

 

The FortiGate is now able to send logs and retrieve the FortiAnalyzer's serial number.

Thank you for your help"

 

Regards

Bill


 

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors