Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Owen_Air
New Contributor

Forti-Analyzer : SSL Error with D & E Series Fortigate

Hi There, 

 

I have a Forti-Analyzer hosted in azure running V7.4.1 most the D series and some E series firewalls are not able to connect to the FAZ and there's an SSL error generated on test and in the system logs.

 

I do have other models which don't have the issue, I have 58 devices in total (60E, 61F, 81F, 60F, VM64 - Azure) 

 

The firewalls which are having issues are on the following versions -

 

60D | 6.0.17 Build0528 (GA)

80E | 6.0.16 Build0505 (GA)

90D | 6.0.16 Build0505 (GA)

 

 

 

The error message generated in the system logs of the firewalls are as follows. 

 

Log Description FortiAnalyzer connection failed

Action connect
Status failure
Reason ssl_connect() failed: 1

Event
Message Failed to connect FortiAnalyzer "IP Removed"


Log event original timestamp 1697620251
Log ID 22903
Sub Type system

 

 

11 REPLIES 11
AEK
Honored Contributor

Hi Owen

 

On your FortiGate:

config log fortianalyzer setting

Then try change the below parameters to a higher security.

enc-algorithm
ssl-min-proto-version

 

AEK
AEK
Owen_Air
New Contributor

Hi There, 

 

here are the current settings. 

# show
config log fortianalyzer setting
set status enable
set server "IP REDACTED"
set ssl-min-proto-version SSLv3
set reliable enable
end

 

Owen_Air

Still getting the same problem. 

AEK
Honored Contributor

Hi

Please share this output:

config log fortianalyzer setting
get
set enc-algorithm ?
set ssl-min-proto-version ?

 

AEK
AEK
Owen_Air
New Contributor

Hi There, 

Please see the fortigate setting:

 

unit6 # config log fortianalyzer setting

(setting) # get
status : enable
ips-archive : enable
server : IP REDACTED
enc-algorithm : high
ssl-min-proto-version: SSLv3
conn-timeout : 10
monitor-keepalive-period: 5
monitor-failure-retry-period: 5
certificate :
source-ip :
upload-option : 5-minute
reliable : enable

Owen_Air

Faz Side :

 

(global)# get
ssl-low-encryption : enable
ssl-protocol : tlsv1.3 tlsv1.2

(central-management)# get
get
type : fortimanager
allow-monitor : enable
fmg : (null)
enc-algorithm : default
authorized-manager-only: enable
serial-number :

AEK
Honored Contributor

ssl-min-proto-version on your FG is not ok.

Should be TLS 1.2

AEK
AEK
Owen_Air
New Contributor

Hi There, 

 

I've changed the FortiGate setting but still get the same problem. 

 


# get
status : enable
ips-archive : enable
server : IP Removed
enc-algorithm : high
ssl-min-proto-version: TLSv1-2

 

AEK
Honored Contributor

Try delete this FGT from FAZ and then add it again.

AEK
AEK
Labels
Top Kudoed Authors