All,
My MSP vendor who uses FortiSIEM rebuilt their collector due to a serious crash this week. One of my FortiGates is currently logging this error: Administrator "FortiSIEM" login failed from ssh(1.1.1.1) because of invalid ssh key; This alert fires off a "Failed Login" alert in my FAZ and is driving me crazy. The collector actually logs in and out just fine; I don't understand why I'm getting this alert.
The only difference between this FortiGate and my other FortiGates is that it's currently running 5.6.6, the rest are 5.6.3. Anyone else seeing this?
My failed login alerts have been disabled due to alert fatigue.
-TFWD
DJ
Admin Network Security
RISQ
Apologies for the delay. Unfortunately, the FortiSIEM is manged by a vendor of ours who was able to resolve the issue(s) with Fortinet Support. I wish I had some details to provide, but I do not.
-TFWD
It's a bit late, but in case anyone else finds this:
I'm willing to bet it's because you have an HA pair and Fortigate devices have the SSH key, not the cluster. So the software connecting to your pair saved the key when one of the devices was master and now the other one is master it's freaking out because of the key change.
If so, remove and save the line in your ~/.ssh/known_hosts for the device (search by its IP and/or hostname), reconnect and save the new key, then edit known_hosts and add the old key back in. Nnow you have two lines, one for each key, so it shouldn't care which is master.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.