Oh, if you have no ADOM enabled on your FMG, what is your FMG firmware version?

Hi dingjerry_FTNT, 

I hope you're well. 

Yes, I have ADOM configured currently the versions are: 

ADOM Version: 7.6.3

FortiGate Version: 7.4.7

I have just upgraded the FortiManager to 7.6.3 as I was having multiple issues related to installation targets not working on dynamic firewall policies as well as local-in issues as FMG did not work with the SD-WAN zones are source interface. 

Thankfully the policy issue is resolved now but this issue as presented itself. Please see full error below: 

It is because the CLI command doesn't exist on the firewall, but I have yet to find a way to remove this from the 'CLI Configuration' section in FMG so that it doesn't push this configuration out. 

Thank you for your help.

Dan. 

Hi @Dan_Eng52 ,

1) ADOM version is 7.6, not 7.6.3;

2) Why do you not have an ADOM with FGT 7.6 version for your FGT 7.4.7?  

It is not a good idea to hold a FGT 7.4.7 in a 7.6 ADOM.

3) Please remove this FGT from the current 7.6 ADOM.  Create a new FGT 7.4 ADOM.  Add your FGT back into this new 7.4 ADOM.  Import all configuration from FGT into this new 7.4 ADOM.

4) In the screenshot in your very first post, it did not tell me what the error is. You'd better to provide the whole message.

BTW, both FGT 7.4.7 & 7.6.3 have the min-allowed-ssl-version setting.

5) In the last screenshot, you may select Item #1, then you will be able to open and download the "View Installation Log" content.  It should have the error message as well.

Hi dingjerry_FTNT,

We needed to upgrade the ADOM version to 7.6 due to the unrelenting issues faced with previous versions.

We had problems pushing policy packages because FortiManager would push policies to all firewalls even with the installation target set for specific entries. We also had issues with our local-in policies because FortiManager did not understand the source interface being the SD-WAN zone rather than the physical interface. 

We could never get our firewalls to be in a synchronized state because there was always a conflict due to the local-in. 

This version has resolved that issue now and can push only required policies to our firewalls but this has presented itself. 

Can you please show me this setting on an FGT as I have all our firewalls on 7.4.7 and this is not a setting available in the CLI under FTPS. The min-allowed-ssl-version does exist under SSL but not FTPS which is why this doesn't apply. 

I am also unable to un-select this option via FortiManager in the CLI. I've tried doing this in device manager and CLI configuration but no joy. 

Thanks,

Dan.

Hi @Dan_Eng52 ,

Did that TAC provide you with a mantis ID?  Or can you share your ticket #?

I want to check the details about the information about the solution to see whether it is the FMG 7.6 or the ADOM 7.6 fixed your issue.

And if you can't share your config, please at least tell me what inspection mode your SSL-SSH-profile is using.  

Hey dingjerry_FTNT,

Thanks for your response.

Apologies, we're actually running FGT 7.4 as out ADOMS version with FMG 7.6. It was the upgrade to 7.6.3 that resolved our issue, we were previously running 7.6.2 which is where we came across it. 

We're using full SSL inspection on our firewalls, I will share with your further details tomorrow. The ticket reference for our TAC case is: #10203398.

Many thanks,

Dan. 

Hi Dan,

I can see that the ticket is mainly for the FMG bug for sync issue with the local-in policy.

You should ask the TAC to create a new ticket to track this new issue.

Once I get your profile settings tomorrow, if I have time, I may test it in my lab.