Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mayar
New Contributor II

Created on ‎09-30-2024 06:20 AM Edited on ‎09-30-2024 08:59 AM

set banned-cipher prevents pushing the device configuration on trial Fortigate VM

Hi there,

 

I'm having issue in a lab (build by me) that i've created with trial version of FortiGate VMs (x2), FortiManager (x1) and FortiAnalyzer (x1).

I've added two FortiGates to the FortiManager, and everything was working without issues, untill the first device installation.

The FortiManager keeps showing error in the installation of device configuration, after digging around, i found out that the issue occurs because of the "set banned-cipher" command. This command seems to be not available in the trial fortivm, and in the FortiManager I wasn't able to remove the setting from the CLI configuration (because it requires at least 1 cipher that has to be banned).

The running versions of the devices are;

FortiGate VMs KVM 7.4.4 build 2662 (Feature)

FortiManager v7.4.3-build2487 240514 (GA)

FortiAnalyzer (while it doesn't have to do with the issue) v7.4.3-build2487 240514 (GA)

2024-09-30 15_08_25-gns3@gns3vm - TightVNC Viewer.png2024-09-30 15_09_18-gns3@gns3vm - TightVNC Viewer.png2024-09-30 15_11_04-gns3@gns3vm - TightVNC Viewer.png

 

When i deselect the banned-cipher and click apply (in the CLI configuration of the device) the ciphers SHA1, SHA256 and SHA384 are reselected again!

2024-09-30 15_17_02-gns3@gns3vm - TightVNC Viewer.png

Did anyone encounter this issue?

is there a solution for this issue?

Labels:
867
0 Kudos
12 REPLIES 12
dbhavsar
Staff
Staff

Created on ‎09-30-2024 07:49 AM

Hello @mayar ,

 

- Have you tried manually configuring this on FortiGate?

DNB
729
0 Kudos
mayar
New Contributor II
In response to dbhavsar

Created on ‎09-30-2024 08:59 AM

Hi,

I've tried to configure the setting thorugh the CLI on the Fortigate, but the whole command seems not to exist, it might have to do with the fact that the Fortigates have trial licenses. But I'm not sure.

692
0 Kudos
dbhavsar
Staff
Staff
In response to mayar

Created on ‎09-30-2024 10:17 AM

Hello @mayar,

Just to confirm, is there any VDOMs configured in your FortiGate?

 

DNB
672
0 Kudos
mayar
New Contributor II
In response to dbhavsar

Created on ‎09-30-2024 12:02 PM Edited on ‎09-30-2024 12:02 PM

Hi,

No there are no VDOMs configured, but I'm curious why the question? :D

I do know that each VDOM is treated by Fortimanager as a separate entity, but this doesn't have to do with the current issue as far as I can see, please correct me if I'm wrong.

644
0 Kudos
mayar
New Contributor II

Created on ‎10-06-2024 04:50 AM

Does anyone have the answer to my question?

I would really appreciate it!

505
0 Kudos
Polarbearsnow
New Contributor

Created on ‎10-19-2024 03:35 AM

Did you ever figure this out? Currently having the same issue in my lab!

393
0 Kudos
mayar
New Contributor II
In response to Polarbearsnow

Created on ‎10-19-2024 01:39 PM Edited on ‎10-19-2024 01:40 PM

I wasn't able to solve the issue, but I found a workaround to at least go throught the labs.

You can retrieve the config from the device and then make changes and push the changes to the device, you'll probably then get the out of sync flag, but the changes will be pushed.

That's the only way that I was able to find.

Let's hope Fortinet is going to do something about this issue

366
0 Kudos
thebas
New Contributor
In response to mayar

Created on ‎11-07-2024 02:08 PM

Hello!

 

Same issue here, regarding the workaround, how did you "retrieve the config from the device, made necessary changes and pushed to the device" ?

 

Thanks!

Best Regards
Best Regards
184
0 Kudos
mayar
New Contributor II
In response to thebas

Created on ‎11-07-2024 10:48 PM

Hi,

 

Exactly, when you push the condig and get the notification about the conflict, you can the retrieve the config from the revision history of the device to get it back in sync.

After that you can make changes and push it back to the device, in this case your changes will be applied, but the config that couldn't be push wouldn't, therefore you'll get the conflict again.

Keep taking the steps as long as needed.

 

Kind regards,

165
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.