Configuring Syslog TLS on FortiGate resulted in Handshake Error (Unknown CA).

iizuca · ‎02-09-2022

Hello everyone.

I am trying to configure Syslog TLS on FortiGate 100D, but it does not work so far.

- Imported syslog server's CA certificate from GUI web console.

- Configured Syslog TLS from CLI console.

I captured the packets at syslog server and found out that FortiGate sends SSL Alert (Unknown CA) after SSL Server Hello.

I also have FortiGate 50E for test purpose.

I installed same OS version as 100D and do same setting, it works just fine.

I suspect the cause is that 100D uses management-port (not sure).

But as 100D is in production environment, I cannot delete management-port to check that.

Please advise.

Debbie_FTNT · ‎02-16-2022

Dear iicuza,

on your (working) 100D, you suspect connection to syslog is working because it uses the management interface, correct?

You can probably verify this with a diag sniffer command:
#diag sniffer packet any 'host <syslog IP> and port <syslog port>' 4 100 a

-> using verbosity 4 causes FortiGate to print which interface the traffic is arriving/leaving on

-> that should show if the traffic is going via the management interface or not

The outgoing interface shouldn't have anything to do with unknown CA error, though.
Have you double-checked that the FortiGate 50E has the correct root certificate imported? In addition, if there is an intermediate CA, you might want to import that too; FortiGate could be having issues with validating a chain.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

iizuca · ‎02-16-2022

Dear Debbie

Thank you for replying.

Let me explain more detail.

For 100D, management interface is used only for management access(SSH/HTTPS).

Syslog server is on the Internet, so the outgoing interface is wan1.

Forward Traffic log shows that syslog packets have source IP of management interface and NATed to go out to the Internet. The log also shows it ended with client-rst (I think 100D sent RST because of Unknown CA error).

On the other hand, 50E, which does not have dedicated management port, sends traffic with source IP address of wan1 (no NAT needed), and working fine.

I checked config with "show full-configuration log syslogd setting" and there is no diffrenece.

Any ideas?

Debbie_FTNT · ‎02-16-2022

Hey iizuca,

if the 100D is using management interface to send out the syslog, even though this is not expected - do you have HA on your 100D?

FortiGate overrides what outgoing interface is used for logging if HA is enabled and the setting 'ha-direct'.
Check this output:
#config system ha
#show full
-> is HA enabled? Is there an HA interface set?
-> if yes, is ha-direct enabled?

If you do not have an HA setup, I'm not sure why FortiGate should be using the management interface for logging. You can check the sylog server settings in FortiGate:
#config log syslogd setting
#show full
-> check if a source IP is configured

Other than that, I wouldn't know off the top of my head what's going on; this would likely require more indepth troubleshooting. You might want to reach out to Fortinet Technical Support then.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

iizuca · ‎02-16-2022

Hi Debbie

Yes. 100D have HA and ha-direct is enabled.

Can source-ip or interface-select-method/interface under syslog setting override this behavior?

Debbie_FTNT · ‎02-16-2022

Hey iizuca,

source IP does NOT override it, and I'm not sure about interface-select-method.

You can give it a try, if the setting is available (100D is a somewhat older model, and interface-select-method a fairly new setting), but if it has no effect, the only option to force wan interface is to disable HA direct.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

iizuca · ‎02-16-2022

Thank you.

I will try interface-select-method and report back here.