Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mayar
New Contributor II

set banned-cipher prevents pushing the device configuration on trial Fortigate VM

Hi there,

 

I'm having issue in a lab (build by me) that i've created with trial version of FortiGate VMs (x2), FortiManager (x1) and FortiAnalyzer (x1).

I've added two FortiGates to the FortiManager, and everything was working without issues, untill the first device installation.

The FortiManager keeps showing error in the installation of device configuration, after digging around, i found out that the issue occurs because of the "set banned-cipher" command. This command seems to be not available in the trial fortivm, and in the FortiManager I wasn't able to remove the setting from the CLI configuration (because it requires at least 1 cipher that has to be banned).

The running versions of the devices are;

FortiGate VMs KVM 7.4.4 build 2662 (Feature)

FortiManager v7.4.3-build2487 240514 (GA)

FortiAnalyzer (while it doesn't have to do with the issue) v7.4.3-build2487 240514 (GA)

2024-09-30 15_08_25-gns3@gns3vm - TightVNC Viewer.png2024-09-30 15_09_18-gns3@gns3vm - TightVNC Viewer.png2024-09-30 15_11_04-gns3@gns3vm - TightVNC Viewer.png

 

When i deselect the banned-cipher and click apply (in the CLI configuration of the device) the ciphers SHA1, SHA256 and SHA384 are reselected again!

2024-09-30 15_17_02-gns3@gns3vm - TightVNC Viewer.png

Did anyone encounter this issue?

is there a solution for this issue?

12 REPLIES 12
dbhavsar
Staff
Staff

Hello @mayar ,

 

- Have you tried manually configuring this on FortiGate?

DNB
mayar
New Contributor II

Hi,

I've tried to configure the setting thorugh the CLI on the Fortigate, but the whole command seems not to exist, it might have to do with the fact that the Fortigates have trial licenses. But I'm not sure.

dbhavsar

Hello @mayar,

Just to confirm, is there any VDOMs configured in your FortiGate?

 

DNB
mayar
New Contributor II

Hi,

No there are no VDOMs configured, but I'm curious why the question? :D

I do know that each VDOM is treated by Fortimanager as a separate entity, but this doesn't have to do with the current issue as far as I can see, please correct me if I'm wrong.

mayar
New Contributor II

Does anyone have the answer to my question?

I would really appreciate it!

Polarbearsnow
New Contributor

Did you ever figure this out? Currently having the same issue in my lab!

mayar
New Contributor II

I wasn't able to solve the issue, but I found a workaround to at least go throught the labs.

You can retrieve the config from the device and then make changes and push the changes to the device, you'll probably then get the out of sync flag, but the changes will be pushed.

That's the only way that I was able to find.

Let's hope Fortinet is going to do something about this issue

thebas
New Contributor

Hello!

 

Same issue here, regarding the workaround, how did you "retrieve the config from the device, made necessary changes and pushed to the device" ?

 

Thanks!

Best Regards
Best Regards
mayar
New Contributor II

Hi,

 

Exactly, when you push the condig and get the notification about the conflict, you can the retrieve the config from the revision history of the device to get it back in sync.

After that you can make changes and push it back to the device, in this case your changes will be applied, but the config that couldn't be push wouldn't, therefore you'll get the conflict again.

Keep taking the steps as long as needed.

 

Kind regards,

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors