Hi All,
Last weekend we replaced a 200E with 120G. The 200E was managed by Fortimanager and was logging to fortianalyzer. After the replacement I was unable to get the 120G to log to FAZ or to be managed by FMG.
For the connection to FAZ:
When I enable the fabric connector i receive a popup with the serial number of the correct analyzer. For me this means that the source-ip of the FGT is allowed to reach the FAZ device and is able to communicate since it is able to retrieve the correct Serial number, open ports are UDP and TCP 514. When I navigate to FAZ the device is not available in unauthorized devices.
For the connection to FMG:
I am able to reach TCP-541 on FMG from the source-ip that is configured on the FGT. When opening the CLI and running some Debug and sniffers I notice that a connection between the FGT and FMG is established but for some reason the FMG is not able to list the FGT as an unauthorized device. This is a part of the output on the FGT, we can find similar output from FMG side:
2024-07-01 09:44:43 FGFMs: Incoming 10.145.4.26 local 10.162.4.1.
2024-07-01 09:44:43 FGFMs: Create session 0x219ea3c0.
2024-07-01 09:44:43 FGFMs: checking existing sessions...
2024-07-01 09:44:43 FGFMs: set_fgfm_sni SNI<support.fortinet-ca2.fortinet.com>
2024-07-01 09:44:43 FGFMs: Load Cipher CIPHERS
2024-07-01 09:44:43 FGFMs: Cleanup session 0x219e3550, 10.145.4.26.
2024-07-01 09:44:43 FGFMs: Destroy session 0x219e3550, 10.145.4.26.
2024-07-01 09:44:43 FGFMs: before SSL initialization
2024-07-01 09:44:43 FGFMs: Broadcast 4 CA subject names to FMG
2024-07-01 09:44:43 FGFMs: SSLv3/TLS write client hello
2024-07-01 09:44:43 FGFMs: SSLv3/TLS write client hello
2024-07-01 09:44:43 FGFMs: SSLv3/TLS read server hello
2024-07-01 09:44:43 FGFMs: TLSv1.3 read encrypted extensions
2024-07-01 09:44:43 FGFMs: SSLv3/TLS read server certificate request
2024-07-01 09:44:43 FGFMs: Got 3 CA subject names from FMG broadcast
2024-07-01 09:44:43 FGFMs: Remote CA subject is /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com.
2024-07-01 09:44:43 FGFMs: issuer matching...try next if not match... local_issuer(support), remote_CA_subject(support)
2024-07-01 09:44:43 FGFMs: CA issuer matched, local=remote=support
2024-07-01 09:44:43 FGFMs: SSLv3/TLS read server certificate
2024-07-01 09:44:43 FGFMs: TLSv1.3 read server certificate verify
2024-07-01 09:44:43 FGFMs: SSLv3/TLS read finished
2024-07-01 09:44:43 FGFMs: SSLv3/TLS write change cipher spec
2024-07-01 09:44:43 FGFMs: SSLv3/TLS write client certificate
2024-07-01 09:44:43 FGFMs: SSLv3/TLS write certificate verify
2024-07-01 09:44:43 FGFMs: SSLv3/TLS write finished
2024-07-01 09:44:43 FGFMs: SSL negotiation finished successfully
2024-07-01 09:44:43 FGFMs: client:send:
get auth
fg_ip=10.162.4.1
mgmtip=10.162.4.1
mgmtport=443 (not sure why it is using 443, this is not our default mgmt port)
2024-07-01 09:44:43 FGFMs: SSL negotiation finished successfully
2024-07-01 09:44:43 FGFMs: SSL negotiation finished successfully
2024-07-01 09:44:43 FGFMs: SSLv3/TLS read server session ticket
2024-07-01 09:44:43 FGFMs: SSL negotiation finished successfully
2024-07-01 09:44:43 FGFMs: SSL negotiation finished successfully
2024-07-01 09:44:43 FGFMs: SSLv3/TLS read server session ticket
2024-07-01 09:44:43 FGFMs: client:
reply 200
request=auth
serialno=FMG-xxxxxxxxxxxxxxxxxxxxx
user=xxxxxxxxxxxxxxxxxx
passwd=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
mgmtport=443
keepalive_interval=120
chan_window_sz=32768
sock_timeout=360
2024-07-01 09:44:43 FGFMs: [__chg_by_fgfm_msg] set keepalive_interval: 120
2024-07-01 09:44:43 FGFMs: [__chg_by_fgfm_msg] set channel buffer/window size to 32768 bytes
2024-07-01 09:44:43 FGFMs: [__chg_by_fgfm_msg] set sock timeout: 360
2024-07-01 09:44:43 FGFMs: [fgfm_msg_put_tuninfo] vdom='wwwwwwwwwwww', physical_intf=xxxx, intf='wwwwwwwwwwwww'
2024-07-01 09:44:43 FGFMs: client:send:
get ip
serialno=FG120xxxxxxxxxxxxxxxxxxxxxx
mgmtid=xxxxxxxxxxxxxxxxx
platform=FortiGate-120G
fos_ver=700
minor=0
patch=14
build=7212
branch=601
maxvdom=10f
fg_ip=10.162.4.1
hostname=xxx
harddisk=xxx
biover=06000104
mgmt_mode=normal
enc_flags=0
first_fmgid=
probe_mode=yes
vdom=root
intf=xxxxxxx
phyintf=xxxxxxx
2024-07-01 09:44:43 FGFMs: serial no FMG-************ saved to FMG detect file
2024-07-01 09:44:43 FGFMs: client:
reply 200
request=ip
probe_mode=yes
register_status=0
fmg_ip=10.145.4.26
mgmtport=443
cur_tun_serial=
keepalive_interval=120
chan_window_sz=32768
sock_timeout=360
I made sure that the FGT is using low ciphers under central management and I made sure that in FMG the enc-algo is set to low for the FMG process in charge of setting up tunnels to the firewalls.
Any Idea what the issue can be?
FGT is running 7.0.14 (suggested by our Fortinet Partner for 120G devices)
FMG is 7.2.3 (our other firewalls connect fine to this Manager and they also run 7.0.14)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Can you confirm if FAZ and FMG have ADOM enabled? If yes, can you make sure if the 120G is not appearing as unauthorized device in the root ADOM?
Hi Jason
ADOM mode is enabled on both devices, I made sure to check in the root ADOM for the unauthorized devices. I tested adding the devices from the root ADOM on FMG and FAZ to the FGT to test the device registration from both sides but this did not make any difference.
Because I do not understand the issue I already removed the old firewalls from the FAZ and FMG so the duplicate device does not create an issue (Normally you provide a name after you add a device so I should not play a role but two devices with the same IP might create issues).
Regards
Hi,
Can you check if you have actually configured the source-ip? This is to ensure FAZ/FMG is able to recognize the actual FGT source IP it attempts to establish the connectivity.
config log fortianalyzer setting set source-ip {FGT IP}
config system central-management set fmg-source-ip {FGT IP}
Created on 07-01-2024 01:49 AM Edited on 07-01-2024 01:50 AM
This is the output for FAZ:
config log fortianalyzer setting
set status enable
set server "10.250.32.164"
set serial "FAZVMXXX" (correct FAZ serial number)
set source-ip "10.162.4.1"
end
Note: only with the 10.162.4.1 ip (the policy allowed IP) I am able to reach the serial number popup.
This is the output for FMG:
config system central-management
set type fortimanager
set fmg "10.145.4.26"
set fmg-source-ip 10.162.4.1
set enc-algorithm low
end
Note: because connecting a fortimanager does not generate a pop-up with serial number (or maybe it did not work because of a connection issue) I was unsure if the FGT could reach the FMG. I tested this with telnet.
xxx_M # exec telnet-options source 10.162.4.1
xxx_M # exec telnet 10.145.4.26 541
Trying 10.145.4.26...
Connected to 10.145.4.26.
If there's a popup with the correct FAZ/FMG serial during the registration, it would generally mean that FGT is able to reach FAZ/FMG without any issue.
Are you able to try and reboot both FAZ & FMG while disabling the FAZ/FMG registration from the local FGT (Security Fabric)? Once FAZ & FMG comes up, you can try to re-enable FMG/FAZ registration and verify if the device appears as unauthorized.
If the issue persist, I suggest you open a TAC ticket to have it looked into by the Fortinet engineers.
Hi Jason
Rebooting the FAZ and FMG and later enabling the fabric connectors did not change anything, this was something I did not test before.
I would like to reboot the FGT but for this I have to request downtime which I will not get for a couple of weeks...
Thanks for your suggestions and time, I will pick this up with support.
The issue was that fortimanager and analyzer only support 120g models from 7.4.2/7.4.3. After the upgrade adding the devices was not an issue.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.