Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Moxeq
New Contributor II

Created on ‎07-18-2024 12:01 PM

FortiGate Kills the connection to FMG

Hello Guys,

We are adding firewalls to be managed by the FMG.

we added all the branches firewalls to the FMG in the HQ, but weirdly the Branches firewall in the HQ which is the assembly point for our branches firewalls has a problem when we trying to add it to the FMG, although as I mentioned that all the firewalls that pass through it were added to the FMG.

I Captured the traffic between them and found that the Firewall it self kill the session "sending Fin to the FMG"

Find the two attached photos which shows the capture.

172.130.201.2 is the FGT  10.130.139.100 is the FMG

I tried to add source IP on the FortiGate config destined to FMG.

the policies should allow all the ports between them.

Any idea about that?

PcapFMG1.pngPcapFMG2.png
MoX, Cybersecurity Engineer
MoX, Cybersecurity Engineer
Labels:
510
0 Kudos
4 REPLIES 4
AEK
SuperUser
SuperUser

Created on ‎07-18-2024 01:01 PM

Hi MoX

Which FMG & FGT versions please.

AEK
AEK
489
Moxeq
New Contributor II
In response to AEK

Created on ‎07-18-2024 02:51 PM

Hi AEK

FGT is on 7.0.14 and FMG on 7.0.12 

the other FGTs that had no issues were on the same version 7.0.14 also.

FMG has license to manage 10 devices for now and currently 8 FGTs were added.

 

MoX, Cybersecurity Engineer
MoX, Cybersecurity Engineer
471
0 Kudos
AEK
SuperUser
SuperUser
In response to AEK

Created on ‎07-18-2024 04:13 PM

Hi MoX

I remember a post initiated by @sw2090 , I think your issue looks the same. It was a certificate related problem.

https://community.fortinet.com/t5/Support-Forum/FortiManager-deployment-problems-after-FGT-Upgrade-t...

Hope it helps.

AEK
AEK
459
sw2090
SuperUser
SuperUser

Created on ‎08-06-2024 01:54 AM

in fact it was a DPI issue that hit us with 7.0.14. It however never occured before 7.0.13/7.0.14. I guess Fortinet did some changes on the fgfm protocol (for security reasons since there was a cve) that brought that into affect. 

However even fgfm debuglog neither on FMG nor FGT side gave a clue about that since there was no actual error message. You could thus check by e.g. doing dia debug app fgfmd 255 on FGT side.

TAC had to provide two debug releases of 7.0.14 to us and only the second of those gave the clue we needed to find the culprit.

So I recommend to check fgfm debug log and also check if on any policy that matches fgfm traffic between FMG and FGT (in BOTH directions) has SSL Deep Inspection active. If so remove it or create an extra policy for FGFM that matches first. That fixed it for us.

 

Btw: sorry for the late reply but I was off for vacation for the last two weeks ;)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
271
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.