Fortinac Change L3 Devices

rcpdkc · ‎01-22-2024

Hello, I am using fortinac-f version 7.2.5. I added my existing firewall as l3 device. I have access point devices under it. yesterday I replaced my existing firewall with a different model. since yesterday, when I add my username and password to the cli line from the credentials section in the interface, I get an error. the access point devices I saw before are no longer visible. although I press the clear known host button, nothing changes.

AEK · ‎01-22-2024

First, try to connect with ssh from command line to your FGT
The configured user should be super admin or super admin RO
On your FGT remove pre and post-login banners then tey again

AEK

ebilcari · ‎01-22-2024

The error that suggest to check the file "/bsc/.ssh/known_hosts" is from old CentOS version of FNAC.

Since you are running NAC-OS check if the old fingerprint is present using this command:

# execute ssh-known-hosts show nac

and if it's present try to remove using this command:

# execute ssh-known-hosts remove-host nac 10.1.2.1
# Host 10.1.2.1 found: line 6
/bsc/.ssh/known_hosts updated.
Original contents retained as /bsc/.ssh/known_hosts.old

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

rcpdkc · ‎01-22-2024

@ebilcari

The codes you said work but I am using a different port number for ssh.

Output of the following code:

execute ssh-known-hosts show nac

I am applying this way by editing the command you gave me and the result is successful;

execute ssh-known-hosts remove-host nac [192.168.199.1]:2222

But the result is still the same and I get an error again when adding the firewall

When I use a different ssh port, the problem is fixed.

AEK · ‎01-22-2024

Once you add the device (confirm even if not reachable), go to FortiNAC CLI and run the below command:

Device -setAttr -ip <device IP> -name SSH_Port -value 2222

Ref: https://community.fortinet.com/t5/FortiNAC/Technical-Note-Modify-Telnet-and-SSH-port-settings-for-de...

Once done, comeback again to WebUI > Inventory > your device, and validate credentials again, to make sure it works.

AEK

rcpdkc · ‎01-22-2024

Are you sure you're working on Fortinac F?

AEK · ‎01-23-2024

That was on FortiNAC.

On F please try this way:

execute enter-shell

device -ip <device IP> -setAttr -name SSH_Port -value 2222

AEK

rcpdkc · ‎01-23-2024

It worked like this. I got an output but some information does not match, for example the snmp version.

AEK · ‎01-23-2024

Can you share more details about the error?

AEK

ebilcari · ‎01-23-2024

I guess you are referring to this line after you run that command:

Name = SNMP_VERSION_ATTR value = 1

You can ignore this output, it will not cause any issue.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.