Hi all,
I hope you can help me.
I'm having an issue with our FortiManager and a conflict which is preventing us from getting the firewall to a synchronised state. Below is the ssl-ssh-profile and the configuration which it is trying to push, the problem is that this command doesn't exist on the FG CLI.
Does anyone now how I can remove this CLI configuration? I have tried un-selecting but it automatically add tls-1.1 back into the settings, it's very annoying and although it doesn't stop us from pushing our dynamic policy and other configuration it will never been show synchronized due to this conflict.
Many thanks,
Dan.
I hope you're well.
Please see below, in the CLI I do not have the set min-allowed-ssl-version but I do see that it is in the CLI reference document that you provided for 7.4.7 which is odd.
Is this something that has to be enabled in order for these commands to be listed within the CLI? I tried to have a look, but I couldn't see an explicit 'enable' command or similar to do so.
Let me know if you want to see any other settings within my ssl-ssh-profile in order to confirm.
Thanks,
Dan.
Hey @dingjerry_FTNT,
Thanks for your response.
Please see snippet below showing show the configuration of my 'Corporate-Full-SSL-Inspection' profile in the GUI. It's rather weird, I cannot find a way to get those options to be displayed on any of my FGT's running version 7.4.7. At the moment, I don't have any firewalls running any earlier firmware so would have spin up and lab and test.
It could be that there is an option somewhere that enables these options, but I have not uncovered this yet. Do you know if this is something that requires 'enabling' or should those commands be available without any further input?
Thanks,
Dan.
Hi @dingjerry_FTNT,
I have a lab firewall that is running a similar full SSL setup with 7.2.10 installed, when running the same commands in the CLI, I can see I have the min-allowed-ssl-version available:
Not sure why I cannot see this on my firewalls running 7.4.7.
Thanks,
Dan.
Hi Dan,
I found the reason. In your profile, you have enabled the "Inspect all ports" option.
When this option is enabled, in 7.4, some settings, including the "min-allowed-ssl-version" setting, will not be available.
Please disable the "Inspect all ports" option on FGT or enable it in FMG; it should fix your issue.
Hey @dingjerry_FTNT,
I can confirm this has allowed this option to be displayed and therefore installed via FortiManager however, I now have an issue with config SSL:
When checking in the CLI, in the config SSL settings within the ssl-ssh-profile the set min-allowed-tls-version isn't displayed so it is still displaying a conflict and install error in FortiManager.
Also, I would like to inspect all ports this is a requirement for us so by disabling this it is allowing me to install via FortiManager but it means we don't have full inspection on all ports enabled.
Would like to hear your thoughts on what I can do to perhaps keep the full inspection on all ports and have my FGT syncronized with FMG.
Perhaps this can only happen with a FortiManager release?
Thanks,
Dan.
Hi Dan,
1) "When checking in the CLI, in the config SSL settings within the ssl-ssh-profile the set min-allowed-tls-version isn't displayed so it is still displaying a conflict and install error in FortiManager. "
Not sure what you are talking about. You need to provide all the outputs in CLI with what you were seeing.
2) You may check whether the SSL-SSH profile (Corporate-Full-SSL-Inspection) has the "Inspect all ports" option enabled or not in FMG:
If it is enabled but FMG still pushes the "min-allowed-tls-version" setting, it is an FMG bug.
