- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Can't connect FGT to FAZ
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can't connect FGT to FAZ
Hi Guys,
Can't connect FGT (ver:6.0.5) to FAZ (ver: 6.2.1 FortiAnalyzer), connectivity test fails;
FGT been added to FAZ devices;
exec log fortianalyzer test-connectivity Failed to get FAZ's status. SSL error. (-3)
Capture shows that FAZ sending RST back to FGT:
66.345323 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: syn 1195392681 66.345952 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: syn 1231566839 ack 1195392682 66.346003 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: ack 1231566840 66.346728 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: psh 1195392682 ack 1231566840 66.346857 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: psh 1231566840 ack 1195392682 66.346885 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: ack 1231567207 66.346990 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: ack 1195392843 66.347044 port10 out 172.16.102.248.13765 -> 172.16.102.247.541: psh 1195392843 ack 1231567207 66.347382 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: ack 1195392850 67.349171 port10 in 172.16.102.247.541 -> 172.16.102.248.13765: rst 1231567207 ack 1195392850 << FAZ sending RST
Debug messages:
FortiGate-VM64 # diagnose debug enable FortiGate-VM64 # diagnose debug application miglogd -1 Debug messages will be on for 30 minutes.
FortiGate-VM64 # <158> _rmt_connect()-1289: oftp_connect(global-faz) failed: ssl_connect() failed: 5. <124> _rmt_connect()-1289: oftp_connect(global-faz) failed: ssl_connect() failed: 5. <158> __handle_logs()-1236: 1212 bytes received <158> send_report_log_buffer()-73: Fail to sent logs to reportd. err:111(Connection refused) <124> __check_vdom_disk_usage()-2508: vfid:0 vd quota:100 total used:0
<158> __handle_logs()-1236: 2328 bytes received <158> _rmt_connect()-1289: oftp_connect(global-faz) failed: ssl_connect() failed: 5. <124> _rmt_connect()-1289: oftp_connect(global-faz) failed: ssl_connect() failed: 5.
Any idea?
Thank you for your input and help!
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi guys,
i am having the same issue with my lab on VM workstation, with the same error message.
but now it is solved for me.
this is my config :
on Fortigate :
FortiGate-VM64-1 # config log fortianalyzer setting
FortiGate-VM64-1 (setting) # set status enable
FortiGate-VM64-1 (setting) # set server 172.16.10.250
FortiGate-VM64-1 (setting) # set reliable enable
FortiGate-VM64-1 (setting) # get status : enable ips-archive : enable server : 172.16.10.250 certificate-verification: enable serial : access-config : enable enc-algorithm : low ssl-min-proto-version: default conn-timeout : 10 monitor-keepalive-period: 5 monitor-failure-retry-period: 5 certificate : source-ip : upload-option : 5-minute reliable : enable
on FAZ:
FAZVM64 # config system global
(global)# set enc-algorithm low
(global)# set ssl-low-encryption enable
(global)# set oftp-ssl-protocol tlsv1.0
(global)# end enc-algorithm setting change will cause all existing FGFM tunnel/WebService connection reset. Do you want to continue? (y/n)y
killall: fgfmsd: no process killed killall: fgfmsd: no process killed
FAZVM64 #
i hope this work with you ,, ;)
Thank You
regards
Genar
- « Previous
-
- 1
- 2
- Next »
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys, looking for your support with FG 5.6.12 connecting to FAZ v6.4.6
FAZ:
config system global set adom-mode advanced set adom-status enable set daylightsavetime disable set hostname "xxxxx" set latitude "0" set log-forward-cache-size 4 set longitude "180" set oftp-ssl-protocol tlsv1.0 set ssl-protocol tlsv1.2 tlsv1.1 tlsv1.0 set timezone 89 set webservice-proto tlsv1.2 tlsv1.1 tlsv1.0
FG:
config log fortianalyzer setting set status enable set ips-archive enable set server "10.12.0.100" set enc-algorithm low set conn-timeout 10 set monitor-keepalive-period 5 set monitor-failure-retry-period 5 set certificate '' set source-ip "172.20.1.12" set upload-option realtime set reliable disable
When testing:
execute log fortianalyzer test-connectivity Failed to get FAZ's status. Authentication Failed. (-19)
In FAZ there is no "unauthorized devices". Tried to reboot the FAZ and different enc/oftp settings - no luck.
In debug mode I noticed this error:
2021-07-17 19:03:57 [__SSL_info_callback:296] SSL negotiation finished successfully [ protocol : (771) TLS 1.2 ] 2021-07-17 19:03:57 [find_add_logdev:1941 FGxxxxxx] Warn Couldn't register DVM device due to can not register this device, error code -1002
and no clue what is code -1002 means - google did not help.
Has anyone met with such issue ?
ping and tcp-514 are running well, no blocks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, works like a charm :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This saved me a whole lot of time. Thanks genar! This works well in virtualbox and gns3.
Created on 08-16-2023 10:16 PM Edited on 08-16-2023 10:17 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works on my VM workstation lab too. All VMs were using free perm trial license.
FAZ v7.2.1
FTG v7.2.3
I can even disable reliable connection (set reliable disable) on FortiGate.
Thank you genar. The Fortigate official admin guide don't talk about it and even the technic tip. The best I found official is this https://community.fortinet.com/t5/FortiGate/Technical-Tip-Connectivity-issue-between-FortiGate-and/t...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Genar, Thank you so much
I changed some lines based on your code and it worked
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank yo Frosty!
Do you recall what was the command on FGT?
this is my current settings:
FortiGate-VM64 # get log fortianalyzer setting status : enable ips-archive : enable server : 172.16.x.x enc-algorithm : low ssl-min-proto-version: default conn-timeout : 10 monitor-keepalive-period: 5 monitor-failure-retry-period: 5 certificate : source-ip : upload-option : realtime reliable : enable
How to make sure that Encryption is enabled?
Thank you!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- « Previous
-
- 1
- 2
- Next »
Related Posts
- connect fortigate to 2 sophos at... 70 Views
- Fortigate 60d boot device failing 106 Views
- User Getting The server you want... 129 Views
- FortiClient IPSec VPN keeps connecting to... 78 Views
- Forticlient Radius Authentication Across IPSEC Tunnel 180 Views
Labels
-
FortiGate
6,461 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
55 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.