Unable to connect 120G to FAZ-VM and FMG-VM

LarsDS · ‎07-01-2024

Hi All,

Last weekend we replaced a 200E with 120G. The 200E was managed by Fortimanager and was logging to fortianalyzer. After the replacement I was unable to get the 120G to log to FAZ or to be managed by FMG.

For the connection to FAZ:

When I enable the fabric connector i receive a popup with the serial number of the correct analyzer. For me this means that the source-ip of the FGT is allowed to reach the FAZ device and is able to communicate since it is able to retrieve the correct Serial number, open ports are UDP and TCP 514. When I navigate to FAZ the device is not available in unauthorized devices.

For the connection to FMG:

I am able to reach TCP-541 on FMG from the source-ip that is configured on the FGT. When opening the CLI and running some Debug and sniffers I notice that a connection between the FGT and FMG is established but for some reason the FMG is not able to list the FGT as an unauthorized device. This is a part of the output on the FGT, we can find similar output from FMG side:

2024-07-01 09:44:43 FGFMs: Incoming 10.145.4.26 local 10.162.4.1.
2024-07-01 09:44:43 FGFMs: Create session 0x219ea3c0.
2024-07-01 09:44:43 FGFMs: checking existing sessions...
2024-07-01 09:44:43 FGFMs: set_fgfm_sni SNI<support.fortinet-ca2.fortinet.com>
2024-07-01 09:44:43 FGFMs: Load Cipher CIPHERS
2024-07-01 09:44:43 FGFMs: Cleanup session 0x219e3550, 10.145.4.26.
2024-07-01 09:44:43 FGFMs: Destroy session 0x219e3550, 10.145.4.26.
2024-07-01 09:44:43 FGFMs: before SSL initialization
2024-07-01 09:44:43 FGFMs: Broadcast 4 CA subject names to FMG
2024-07-01 09:44:43 FGFMs: SSLv3/TLS write client hello
2024-07-01 09:44:43 FGFMs: SSLv3/TLS write client hello
2024-07-01 09:44:43 FGFMs: SSLv3/TLS read server hello
2024-07-01 09:44:43 FGFMs: TLSv1.3 read encrypted extensions
2024-07-01 09:44:43 FGFMs: SSLv3/TLS read server certificate request
2024-07-01 09:44:43 FGFMs: Got 3 CA subject names from FMG broadcast
2024-07-01 09:44:43 FGFMs: Remote CA subject is /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com.
2024-07-01 09:44:43 FGFMs: issuer matching...try next if not match... local_issuer(support), remote_CA_subject(support)
2024-07-01 09:44:43 FGFMs: CA issuer matched, local=remote=support
2024-07-01 09:44:43 FGFMs: SSLv3/TLS read server certificate
2024-07-01 09:44:43 FGFMs: TLSv1.3 read server certificate verify
2024-07-01 09:44:43 FGFMs: SSLv3/TLS read finished
2024-07-01 09:44:43 FGFMs: SSLv3/TLS write change cipher spec
2024-07-01 09:44:43 FGFMs: SSLv3/TLS write client certificate
2024-07-01 09:44:43 FGFMs: SSLv3/TLS write certificate verify
2024-07-01 09:44:43 FGFMs: SSLv3/TLS write finished
2024-07-01 09:44:43 FGFMs: SSL negotiation finished successfully
2024-07-01 09:44:43 FGFMs: client:send:
get auth
fg_ip=10.162.4.1
mgmtip=10.162.4.1
mgmtport=443 (not sure why it is using 443, this is not our default mgmt port)


2024-07-01 09:44:43 FGFMs: SSL negotiation finished successfully
2024-07-01 09:44:43 FGFMs: SSL negotiation finished successfully
2024-07-01 09:44:43 FGFMs: SSLv3/TLS read server session ticket
2024-07-01 09:44:43 FGFMs: SSL negotiation finished successfully
2024-07-01 09:44:43 FGFMs: SSL negotiation finished successfully
2024-07-01 09:44:43 FGFMs: SSLv3/TLS read server session ticket
2024-07-01 09:44:43 FGFMs: client:
reply 200
request=auth
serialno=FMG-xxxxxxxxxxxxxxxxxxxxx
user=xxxxxxxxxxxxxxxxxx
passwd=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
mgmtport=443
keepalive_interval=120
chan_window_sz=32768
sock_timeout=360


2024-07-01 09:44:43 FGFMs: [__chg_by_fgfm_msg] set keepalive_interval: 120
2024-07-01 09:44:43 FGFMs: [__chg_by_fgfm_msg] set channel buffer/window size to 32768 bytes
2024-07-01 09:44:43 FGFMs: [__chg_by_fgfm_msg] set sock timeout: 360
2024-07-01 09:44:43 FGFMs: [fgfm_msg_put_tuninfo] vdom='wwwwwwwwwwww', physical_intf=xxxx, intf='wwwwwwwwwwwww'
2024-07-01 09:44:43 FGFMs: client:send:
get ip
serialno=FG120xxxxxxxxxxxxxxxxxxxxxx
mgmtid=xxxxxxxxxxxxxxxxx
platform=FortiGate-120G
fos_ver=700
minor=0
patch=14
build=7212
branch=601
maxvdom=10f
fg_ip=10.162.4.1
hostname=xxx
harddisk=xxx
biover=06000104
mgmt_mode=normal
enc_flags=0
first_fmgid=
probe_mode=yes
vdom=root
intf=xxxxxxx
phyintf=xxxxxxx


2024-07-01 09:44:43 FGFMs: serial no FMG-************ saved to FMG detect file
2024-07-01 09:44:43 FGFMs: client:
reply 200
request=ip
probe_mode=yes
register_status=0
fmg_ip=10.145.4.26
mgmtport=443
cur_tun_serial=
keepalive_interval=120
chan_window_sz=32768
sock_timeout=360

I made sure that the FGT is using low ciphers under central management and I made sure that in FMG the enc-algo is set to low for the FMG process in charge of setting up tunnels to the firewalls.

Any Idea what the issue can be?
FGT is running 7.0.14 (suggested by our Fortinet Partner for 120G devices)
FMG is 7.2.3 (our other firewalls connect fine to this Manager and they also run 7.0.14)

jasonhong · ‎07-01-2024

Hi,

Can you confirm if FAZ and FMG have ADOM enabled? If yes, can you make sure if the 120G is not appearing as unauthorized device in the root ADOM?

LarsDS · ‎07-01-2024

Hi Jason

ADOM mode is enabled on both devices, I made sure to check in the root ADOM for the unauthorized devices. I tested adding the devices from the root ADOM on FMG and FAZ to the FGT to test the device registration from both sides but this did not make any difference.
Because I do not understand the issue I already removed the old firewalls from the FAZ and FMG so the duplicate device does not create an issue (Normally you provide a name after you add a device so I should not play a role but two devices with the same IP might create issues).

Regards

jasonhong · ‎07-01-2024

Hi,

Can you check if you have actually configured the source-ip? This is to ensure FAZ/FMG is able to recognize the actual FGT source IP it attempts to establish the connectivity.

config log fortianalyzer setting
    set source-ip {FGT IP}

config system central-management
    set fmg-source-ip {FGT IP}

LarsDS · ‎07-01-2024

This is the output for FAZ:

config log fortianalyzer setting
set status enable
set server "10.250.32.164"
set serial "FAZVMXXX" (correct FAZ serial number)
set source-ip "10.162.4.1"
end

Note: only with the 10.162.4.1 ip (the policy allowed IP) I am able to reach the serial number popup.
This is the output for FMG:

config system central-management
set type fortimanager
set fmg "10.145.4.26"
set fmg-source-ip 10.162.4.1
set enc-algorithm low
end

Note: because connecting a fortimanager does not generate a pop-up with serial number (or maybe it did not work because of a connection issue) I was unsure if the FGT could reach the FMG. I tested this with telnet.

xxx_M # exec telnet-options source 10.162.4.1

xxx_M # exec telnet 10.145.4.26 541
Trying 10.145.4.26...
Connected to 10.145.4.26.

jasonhong · ‎07-01-2024

If there's a popup with the correct FAZ/FMG serial during the registration, it would generally mean that FGT is able to reach FAZ/FMG without any issue.

Are you able to try and reboot both FAZ & FMG while disabling the FAZ/FMG registration from the local FGT (Security Fabric)? Once FAZ & FMG comes up, you can try to re-enable FMG/FAZ registration and verify if the device appears as unauthorized.

If the issue persist, I suggest you open a TAC ticket to have it looked into by the Fortinet engineers.

LarsDS · ‎07-01-2024

Hi Jason

Rebooting the FAZ and FMG and later enabling the fabric connectors did not change anything, this was something I did not test before.

I would like to reboot the FGT but for this I have to request downtime which I will not get for a couple of weeks...

Thanks for your suggestions and time, I will pick this up with support.