Hi all
TL;DR
Does anyone know if the Fortigate trial licence limitations on encryption/decryption (which for example prevent the use of HTTPS) also prevent the SSL connections from Fortigate to FortiAnalyzer for the purposes of sending logs (via oftpd)?
I was trying to test sending logs from a Fortigate VM (firmware 6.4) to FortiAnalyzer VM (firmware 6.4) but I just get "No connection" and if you hover the cursor over that you get "Error occurred:{0}". The goal is to test forwarding logs from the FortiAnalyzer to a third device but I can't get this far as the Fortigate won't send the logs to the FortiAnalyzer. A reddit post (www.reddit.com/r/...er_trial_ssl_error_3/) suggested this is probably a trial licence limitation but it would be good to confirm it here if possible.
If anyone has found something similar please let me know.
Thanks
Testing steps:
I've made sure to check the compatibility matrix and the FGT and FAZ are compatible. The Fortigate device is added as a device in the FortiAnalyzer. I can test connectivity between the two using ping successfully.
I found various posts online with suggestions to make it work by allowing weaker encryption but none worked in this case e.g. (forum.fortinet.com/tm.aspx?m=140479)
FGT:
conf log fortianalyzer setting
set enc-algorithm low
set reliable enable
FAZ:
conf global setting
set enc-algorithm low
FGT:
exec log fortianalyzer test-connectivity
Failed to get FAZ's status. Connection failed. Connection refused(-1)
Failed to get FAZ's status. SSL error. (-3).
FAZ - enabling debug logging for the oftpd app on the Fortianalyzer showed the following error:
(as in kb.fortinet.com/k...do?externalID=FD41272)
[oftpd_handle_session] oftp_recv_packet failed: SSL setup failure.
Client connection closed. Reason 14(SSL setup failure)
Also I read the following, but it seems that these conditions were met during testing:
[ul]>6.2 FAZ will only process encrypted logs from Fortinet devices.[/ul][ul]FAZ encryption level MUST be equal to or less than the FGT’s encryption level.[/ul]Trial licences are in use on both the Fortigate and the FortiAnalyzer.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
This works for me with FortiAnalyzer-VM64 v6.2.3 and FortiGate-VM64 v6.2.3 running unregistered trial versions:
FAZ config:
config system global
set enc-algorithm low
set log-forward-cache-size 4
set oftp-ssl-protocol sslv3
set usg enable
end
Fortigate config:
config log fortianalyzer setting
set status enable
set server "10.1.2.100"
set certificate-verification disable
set serial "FAZ-VM0000000001"
set ssl-min-proto-version SSLv3
set upload-option realtime
end
Succesfull FortiAnalyzer connectivity is not visible in GUI. But it's transfering logs and the CLI command shows a succesfull connection:
FortiGate-VM64 # execute log fortianalyzer test-connectivity
FortiAnalyzer Host Name: FAZVM64
FortiAnalyzer Adom Name: root
FortiGate Device ID: FGVMEVFV6YKXEGEB
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 704512B/53687091200B
Analytics Usage (Used/Allocated): 671744B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 0/60 Days
Archive Usage (Used/Allocated): 32768B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 365/365 Days
Log: Tx & Rx (5 logs received since 10:46:07 05/02/20)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx
Certificate of Fortianalyzer valid and serial number is:FAZ-VM0000000001
After entering the CLI commands, just got to Security Fabric -> Settings and re-apply the settings.
Then you should be able to change the log location to FortiAnalyzer in the 'Log & Report' view as well.
I don't know about FortiAnalyzer.
But Fortigates will only support very limited encryption support for Web management, IPSEC Tunnels, SSLVPN and SSL inspection,etc.
So this will be probably the same for your FortiAnalyzer connections.
Can you give this a try?
On your Fortigate:
config log fortianalyzer setting
set reliable disable
Hi, thanks for the reply.
I used that setting on the Fortigate but unfortunately there was no change to the connection status.
Hi
This works for me with FortiAnalyzer-VM64 v6.2.3 and FortiGate-VM64 v6.2.3 running unregistered trial versions:
FAZ config:
config system global
set enc-algorithm low
set log-forward-cache-size 4
set oftp-ssl-protocol sslv3
set usg enable
end
Fortigate config:
config log fortianalyzer setting
set status enable
set server "10.1.2.100"
set certificate-verification disable
set serial "FAZ-VM0000000001"
set ssl-min-proto-version SSLv3
set upload-option realtime
end
Succesfull FortiAnalyzer connectivity is not visible in GUI. But it's transfering logs and the CLI command shows a succesfull connection:
FortiGate-VM64 # execute log fortianalyzer test-connectivity
FortiAnalyzer Host Name: FAZVM64
FortiAnalyzer Adom Name: root
FortiGate Device ID: FGVMEVFV6YKXEGEB
Registration: registered
Connection: allow
Adom Disk Space (Used/Allocated): 704512B/53687091200B
Analytics Usage (Used/Allocated): 671744B/37580963840B
Analytics Usage (Data Policy Days Actual/Configured): 0/60 Days
Archive Usage (Used/Allocated): 32768B/16106127360B
Archive Usage (Data Policy Days Actual/Configured): 365/365 Days
Log: Tx & Rx (5 logs received since 10:46:07 05/02/20)
IPS Packet Log: Tx & Rx
Content Archive: Tx & Rx
Quarantine: Tx & Rx
Certificate of Fortianalyzer valid and serial number is:FAZ-VM0000000001
After entering the CLI commands, just got to Security Fabric -> Settings and re-apply the settings.
Then you should be able to change the log location to FortiAnalyzer in the 'Log & Report' view as well.
Hi, thank you
I applied the settings on my 6.4 firmware FGT/FAZ devices as you detailed above but unfortunately they did not allow the two devices to communicate. The GUI still showed 'No Connectivity' and on CLI the output from 'exec log fortianalyzer test-connectivity' was still: Failed to get FAZ's status. Connection failed. Connection refused(-1) Failed to get FAZ's status. SSL error. (-3).
Following your post though I have downloaded a Fortigate and Fortianalyzer VM for firmware version 6.2.3, deployed these VMs, applied the Fortigate config log fortianalyzer settings and FortiAnalyzer system global settings as in your post, and I have been able to successfully send the logs from the Fortigate to the FortiAnalyzer.
Thanks again
Hello,
I am facing the same issue, but there is no assistance here...
Tried it on 6.4.4 - worked, tried 6.4.5 - didn't , go figure, in the end asked for evaluation license and all worked.
For VMs (FAZ & FG) do this
@ FAZ
config system global@ FG
set log-forward-cache-size 4
set oftp-ssl-protocol sslv3
end
config log fortianalyzer settingwait for a min or two then issue
set serial "FAZ-VM0000000001"
set ssl-min-proto-version SSLv3
end
execute log fortianalyzer test-connectivity
miraching wrote:For VMs (FAZ & FG) do this
@ FAZ
config system global@ FG
set log-forward-cache-size 4
set oftp-ssl-protocol sslv3
endconfig log fortianalyzer settingwait for a min or two then issue
set serial "FAZ-VM0000000001"
set ssl-min-proto-version SSLv3
endexecute log fortianalyzer test-connectivity
still not working on 6.4....
Yurisk wrote:Tried it on 6.4.4 - worked, tried 6.4.5 - didn't , go figure, in the end asked for evaluation license and all worked.
Would you please advise which are the exact commands you have executed an how did you accept the eval license? Thanks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.