Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Moxeq
New Contributor II

FortiGate Kills the connection to FMG

Hello Guys,

We are adding firewalls to be managed by the FMG.

we added all the branches firewalls to the FMG in the HQ, but weirdly the Branches firewall in the HQ which is the assembly point for our branches firewalls has a problem when we trying to add it to the FMG, although as I mentioned that all the firewalls that pass through it were added to the FMG.

I Captured the traffic between them and found that the Firewall it self kill the session "sending Fin to the FMG"

Find the two attached photos which shows the capture.

172.130.201.2 is the FGT  10.130.139.100 is the FMG

I tried to add source IP on the FortiGate config destined to FMG.

the policies should allow all the ports between them.

Any idea about that?

PcapFMG1.pngPcapFMG2.png
MoX, Cybersecurity Engineer
MoX, Cybersecurity Engineer
4 REPLIES 4
AEK
SuperUser
SuperUser

Hi MoX

Which FMG & FGT versions please.

AEK
AEK
Moxeq
New Contributor II

Hi AEK

FGT is on 7.0.14 and FMG on 7.0.12 

the other FGTs that had no issues were on the same version 7.0.14 also.

FMG has license to manage 10 devices for now and currently 8 FGTs were added.

 

MoX, Cybersecurity Engineer
MoX, Cybersecurity Engineer
AEK

Hi MoX

I remember a post initiated by @sw2090 , I think your issue looks the same. It was a certificate related problem.

https://community.fortinet.com/t5/Support-Forum/FortiManager-deployment-problems-after-FGT-Upgrade-t...

Hope it helps.

AEK
AEK
sw2090
SuperUser
SuperUser

in fact it was a DPI issue that hit us with 7.0.14. It however never occured before 7.0.13/7.0.14. I guess Fortinet did some changes on the fgfm protocol (for security reasons since there was a cve) that brought that into affect. 

However even fgfm debuglog neither on FMG nor FGT side gave a clue about that since there was no actual error message. You could thus check by e.g. doing dia debug app fgfmd 255 on FGT side.

TAC had to provide two debug releases of 7.0.14 to us and only the second of those gave the clue we needed to find the culprit.

So I recommend to check fgfm debug log and also check if on any policy that matches fgfm traffic between FMG and FGT (in BOTH directions) has SSL Deep Inspection active. If so remove it or create an extra policy for FGFM that matches first. That fixed it for us.

 

Btw: sorry for the late reply but I was off for vacation for the last two weeks ;)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors