Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rcpdkc
Contributor II

Fortinac Change L3 Devices

Hello, I am using fortinac-f version 7.2.5. I added my existing firewall as l3 device. I have access point devices under it. yesterday I replaced my existing firewall with a different model. since yesterday, when I add my username and password to the cli line from the credentials section in the interface, I get an error. the access point devices I saw before are no longer visible. although I press the clear known host button, nothing changes.nac_error1.PNGnac_error2.PNG

18 REPLIES 18
AEK
Honored Contributor

  • First, try to connect with ssh from command line to your FGT
  • The configured user should be super admin or super admin RO
  • On your FGT remove pre and post-login banners then tey again 
AEK
AEK
ebilcari
Staff
Staff

The error that suggest to check the file "/bsc/.ssh/known_hosts" is from old CentOS version of FNAC.

Since you are running NAC-OS check if the old fingerprint is present using this command:

# execute ssh-known-hosts show nac

and if it's present try to remove using this command:

# execute ssh-known-hosts remove-host nac 10.1.2.1
# Host 10.1.2.1 found: line 6
/bsc/.ssh/known_hosts updated.
Original contents retained as /bsc/.ssh/known_hosts.old

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
rcpdkc

@ebilcari  

 

The codes you said work but I am using a different port number for ssh.

Output of the following code:

execute ssh-known-hosts show nac

fortinac3.PNG

I am applying this way by editing the command you gave me and the result is successful;

execute ssh-known-hosts remove-host nac [192.168.199.1]:2222

 

fortinac4.PNG

But the result is still the same and I get an error again when adding the firewall

nac_error1.PNG

 

 When I use a different ssh port, the problem is fixed.

 

 

 

 

AEK
Honored Contributor

Once you add the device (confirm even if not reachable), go to FortiNAC CLI and run the below command:

Device -setAttr -ip <device IP> -name SSH_Port -value 2222

Ref:  https://community.fortinet.com/t5/FortiNAC/Technical-Note-Modify-Telnet-and-SSH-port-settings-for-de...

 

Once done, comeback again to WebUI > Inventory > your device, and validate credentials again, to make sure it works.

AEK
AEK
rcpdkc
Contributor II

fortinac5.PNG

Are you sure you're working on Fortinac F?

AEK
Honored Contributor

That was on FortiNAC.

On F please try this way:

execute enter-shell

device -ip <device IP> -setAttr -name SSH_Port -value 2222

 

AEK
AEK
rcpdkc
Contributor II

It worked like this. I got an output but some information does not match, for example the snmp version.

AEK
Honored Contributor

Can you share more details about the error?

AEK
AEK
ebilcari

I guess you are referring to this line after you run that command:

Name = SNMP_VERSION_ATTR value = 1

You can ignore this output, it will not cause any issue.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Labels
Top Kudoed Authors