Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Owen_Air
New Contributor

Forti-Analyzer : SSL Error with D & E Series Fortigate

Hi There, 

 

I have a Forti-Analyzer hosted in azure running V7.4.1 most the D series and some E series firewalls are not able to connect to the FAZ and there's an SSL error generated on test and in the system logs.

 

I do have other models which don't have the issue, I have 58 devices in total (60E, 61F, 81F, 60F, VM64 - Azure) 

 

The firewalls which are having issues are on the following versions -

 

60D | 6.0.17 Build0528 (GA)

80E | 6.0.16 Build0505 (GA)

90D | 6.0.16 Build0505 (GA)

 

 

 

The error message generated in the system logs of the firewalls are as follows. 

 

Log Description FortiAnalyzer connection failed

Action connect
Status failure
Reason ssl_connect() failed: 1

Event
Message Failed to connect FortiAnalyzer "IP Removed"


Log event original timestamp 1697620251
Log ID 22903
Sub Type system

 

 

11 REPLIES 11
AEK
Honored Contributor II

Hi Owen

 

On your FortiGate:

config log fortianalyzer setting

Then try change the below parameters to a higher security.

enc-algorithm
ssl-min-proto-version

 

AEK
AEK
Owen_Air
New Contributor

Hi There, 

 

here are the current settings. 

# show
config log fortianalyzer setting
set status enable
set server "IP REDACTED"
set ssl-min-proto-version SSLv3
set reliable enable
end

 

Owen_Air

Still getting the same problem. 

AEK
Honored Contributor II

Hi

Please share this output:

config log fortianalyzer setting
get
set enc-algorithm ?
set ssl-min-proto-version ?

 

AEK
AEK
Owen_Air
New Contributor

Hi There, 

Please see the fortigate setting:

 

unit6 # config log fortianalyzer setting

(setting) # get
status : enable
ips-archive : enable
server : IP REDACTED
enc-algorithm : high
ssl-min-proto-version: SSLv3
conn-timeout : 10
monitor-keepalive-period: 5
monitor-failure-retry-period: 5
certificate :
source-ip :
upload-option : 5-minute
reliable : enable

Owen_Air

Faz Side :

 

(global)# get
ssl-low-encryption : enable
ssl-protocol : tlsv1.3 tlsv1.2

(central-management)# get
get
type : fortimanager
allow-monitor : enable
fmg : (null)
enc-algorithm : default
authorized-manager-only: enable
serial-number :

AEK
Honored Contributor II

ssl-min-proto-version on your FG is not ok.

Should be TLS 1.2

AEK
AEK
Owen_Air
New Contributor

Hi There, 

 

I've changed the FortiGate setting but still get the same problem. 

 


# get
status : enable
ips-archive : enable
server : IP Removed
enc-algorithm : high
ssl-min-proto-version: TLSv1-2

 

AEK
Honored Contributor II

Try delete this FGT from FAZ and then add it again.

AEK
AEK
Labels
Top Kudoed Authors