Hot!Fortimanager can't add a new Foritgate device. (trial license)

Author
Nikita
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/02 06:38:25
  • Status: offline
2019/08/02 06:56:34 (permalink)
0

Fortimanager can't add a new Foritgate device. (trial license)

Hello all! 
 
I installed Fortimanager VM-64 (trial version) and try to add a new Fortigate device (VM64, trial version) but no luck. 
Platform of virtualization: Vmware ESXI.
 
I tried to initiate it from Fortimanager GUI and from Fortigate GUI. 
 
When i enable debug on devices there are some errors:
 
diagnose debug enable 
diagnose debug application fgfmd -1
 
FGFMs: cert_id<0>, sni<support.>FGFMs: set_fgfm_sni SNI<support.fortinet.com>
FGFMs: Load Cipher [DES:@STRENGTH]
FGFMs: before SSL initialization
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS write client hello
FGFMs: [__get_error:612] error=5, errno=104,Connection reset by peer.
 
Could anyone help with this question please ?  
#1
brazz_FTNT
Silver Member
  • Total Posts : 92
  • Scores: 22
  • Reward points: 0
  • Joined: 2018/02/20 15:09:34
  • Status: offline
Re: Fortimanager can't add a new Foritgate device. (trial license) 2019/08/02 08:50:31 (permalink)
0
Hey, 
What are the FMG and FGT versions?
Cheers
#2
Nikita
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/02 06:38:25
  • Status: offline
Re: Fortimanager can't add a new Foritgate device. (trial license) 2019/08/05 03:21:54 (permalink)
0
Thank you for answer. 
 
Versions:
Forimanager - v6.2.0-build1050 190411 (GA)
Fortigate - v6.2.0 build0866 (GA)
post edited by Nikita - 2019/08/05 03:23:40
#3
brazz_FTNT
Silver Member
  • Total Posts : 92
  • Scores: 22
  • Reward points: 0
  • Joined: 2018/02/20 15:09:34
  • Status: offline
Re: Fortimanager can't add a new Foritgate device. (trial license) 2019/08/05 07:26:18 (permalink)
0
  • Are they on the same subnet ?
  • Any devices in the middle doing any inspection?
  • show me the 
       config log fortianalyzer setting
       get
Cheers
 
#4
Nikita
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/02 06:38:25
  • Status: offline
Re: Fortimanager can't add a new Foritgate device. (trial license) 2019/08/07 01:08:44 (permalink)
0
- Yes, on the same. 
- No, there aren't any devices between.
 
Fortianalyzer ? Sure ? But i try to connect to Fortimanager. 
 
 
FortiGate-node1 (setting) # get
status : disable
certificate :
 
#5
brazz_FTNT
Silver Member
  • Total Posts : 92
  • Scores: 22
  • Reward points: 0
  • Joined: 2018/02/20 15:09:34
  • Status: offline
Re: Fortimanager can't add a new Foritgate device. (trial license) 2019/08/07 07:25:22 (permalink)
0
Hey, 
Thanks ,
can you please run 
On FMG:
config system global
get
 
On FGT:
config system central-management
get
#6
Nikita
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/02 06:38:25
  • Status: offline
Re: Fortimanager can't add a new Foritgate device. (trial license) 2019/08/07 10:37:25 (permalink)
0
FortiGate-node1 (central-management) # get
mode : normal
type : fortimanager
schedule-config-restore: enable
schedule-script-restore: enable
allow-push-configuration: enable
allow-push-firmware : enable
allow-remote-firmware-upgrade: enable
allow-monitor : enable
serial-number :
fmg : "<fortimanager-ip>" 
fmg-source-ip : 0.0.0.0
fmg-source-ip6 : ::
local-cert :
vdom : root
server-list:
include-default-servers: enable
enc-algorithm : low
 
FMG-VM64 # config system global
(global)# get
admin-lockout-duration: 60
admin-lockout-threshold: 3
adom-mode : normal
adom-rev-auto-delete: by-revisions
adom-rev-max-backup-revisions: 5
adom-rev-max-revisions: 120
adom-status : disable
clt-cert-req : disable
console-output : standard
country-flag : enable
create-revision : disable
daylightsavetime : enable
default-disk-quota : 1000
detect-unregistered-log-device: enable
device-view-mode : regular
dh-params : 2048
disable-module :
enc-algorithm : high
faz-status : disable
fgfm-local-cert : (null)
fgfm-ssl-protocol : tlsv1.2
ha-member-auto-grouping: enable
hitcount_concurrent : 100
hitcount_interval : 300
hostname : FMG-VM64
import-ignore-addr-cmt: disable
language : english
latitude : (null)
ldap-cache-timeout : 86400
ldapconntimeout : 60000
log-checksum : none
log-forward-cache-size: 0
longitude : (null)
max-running-reports : 1
oftp-ssl-protocol : tlsv1.2
partial-install : disable
perform-improve-by-ha: disable
policy-hit-count : disable
policy-object-in-dual-pane: disable
pre-login-banner : disable
remoteauthtimeout : 10
search-all-adoms : disable
ssl-low-encryption : disable
ssl-protocol : tlsv1.2
ssl-static-key-ciphers: enable
task-list-size : 2000
timezone : (GMT+3:00) Moscow.
tunnel-mtu : 1500
usg : enable
vdom-mirror : disable
webservice-proto : tlsv1.2
workspace-mode : disabled
 
#7
brazz_FTNT
Silver Member
  • Total Posts : 92
  • Scores: 22
  • Reward points: 0
  • Joined: 2018/02/20 15:09:34
  • Status: offline
Re: Fortimanager can't add a new Foritgate device. (trial license) 2019/08/07 10:43:29 (permalink)
0
Hey, 
 
Thanks for the update. 
On FGT:
Let's set the enc-algorithm to high and try adding the FGT to FMG. 
Let me know about the results
Cheers
#8
Nikita
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/02 06:38:25
  • Status: offline
Re: Fortimanager can't add a new Foritgate device. (trial license) 2019/08/08 00:54:28 (permalink)
0
Hi, 
thanks for your help! 
 
I changed enc-algorithm to 'default'. There isn't 'high' exactly. 
As i know the trial license supports only low enc-algorithm. 
 
FortiGate-node1 (central-management) # show
config system central-management
set type fortimanager
set fmg "<fortimanager-ip>"
set enc-algorithm default
end
 
After changes the debug log looks a little different: 
 
GFMs: Connect to <fortimanager-ip>:541, local <fortigate-ip>:8201.
FGFMs: cert_id<0>, sni<support.>FGFMs: set_fgfm_sni SNI<support.fortinet.com>
FGFMs: Load Cipher [DES:@STRENGTH]
FGFMs: before SSL initialization
FGFMs: SSLv3/TLS write client hello
FGFMs: Cleanup session 0xcedb650, <fortimanager-ip>.
FGFMs: Destroy session 0xcedb650, <fortimanager-ip>.
#9
brazz_FTNT
Silver Member
  • Total Posts : 92
  • Scores: 22
  • Reward points: 0
  • Joined: 2018/02/20 15:09:34
  • Status: offline
Re: Fortimanager can't add a new Foritgate device. (trial license) 2019/08/08 07:53:30 (permalink)
0
Hello, 
Thanks for the update. 
 
+Did you try adding it from FGT or from FMG?
+Also just for testing let's play with the "fgfm-ssl-protocol" on the FMG side.
 For example, let's set it to tlsv1.0 and retry again. 
Let me know about the results. 
 
 
below is the setting of my FMG and FGT :
 
==========================================================
 
(global)# get
admin-lockout-duration: 60
admin-lockout-threshold: 3
adom-mode : normal
adom-rev-auto-delete: by-revisions
adom-rev-max-backup-revisions: 5
adom-rev-max-revisions: 120
adom-select : enable
adom-status : enable
clt-cert-req : disable
console-output : standard
country-flag : enable
create-revision : disable
daylightsavetime : enable
detect-unregistered-log-device: enable
device-view-mode : tree
dh-params : 2048
disable-module :
enc-algorithm : low
faz-status : disable
fgfm-local-cert : (null)
fgfm-ssl-protocol : tlsv1.0
ha-member-auto-grouping: enable
hitcount_concurrent : 100
hitcount_interval : 300
hostname : FMG-08
import-ignore-addr-cmt: disable
language : english
latitude : (null)
ldap-cache-timeout : 86400
ldapconntimeout : 60000
log-checksum : none
log-forward-cache-size: 0
longitude : (null)
max-running-reports : 1
oftp-ssl-protocol : tlsv1.0
partial-install : disable
perform-improve-by-ha: disable
policy-hit-count : disable
policy-object-in-dual-pane: disable
pre-login-banner : disable
remoteauthtimeout : 10
search-all-adoms : disable
ssl-low-encryption : enable
ssl-protocol : tlsv1.2 tlsv1.1 tlsv1.0
ssl-static-key-ciphers: enable
task-list-size : 2000
timezone : (GMT-8:00) Pacific Time (US & Canada).
tunnel-mtu : 1500
usg : enable
vdom-mirror : disable
webservice-proto : tlsv1.2 tlsv1.1 tlsv1.0
workspace-mode : disabled
 
FGT (central-management) # get
mode : normal
type : fortimanager
schedule-config-restore: enable
schedule-script-restore: enable
allow-push-configuration: enable
allow-push-firmware : enable
allow-remote-firmware-upgrade: enable
allow-monitor : enable
serial-number : "FMG-SN"
fmg : "IP"
fmg-source-ip : 0.0.0.0
fmg-source-ip6 : ::
local-cert :
vdom : root
server-list:
include-default-servers: enable
enc-algorithm : high
 
#10
Nikita
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/02 06:38:25
  • Status: offline
Re: Fortimanager can't add a new Foritgate device. (trial license) 2019/08/09 02:35:50 (permalink)
0
Hi, 
I tried to connect from both sides. 
 
After changes in enc-algorithms:
 
FGFMs: issuer matching...try next if not match... localissuer(fortinet-subca2001), remoteissuer(support)
FGFMs: No extra certs matched, aborting connection!
FGFMs(probing...): Connection was interrupted. sockevents[-1] sslerr[0]
FGFMs(probing...): Cleanup session 0x7f8285295c00, 10.1.134.226.
FGFMs(probing...): Destroy session 0x7f8285295c00, 10.1.134.226.
 
My configurations looks similar, bit on your FGT - 
enc-algorithm : high
 
My device doen't let me input it. Only default or low, because it's trial verison.  
 
Are your configuration from devices on trial-license or permanent ? 
 
Could you show 'get system global' from your FGT ? 
 
Many thanks. 
#11
sajiby3k
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/22 03:12:30
  • Status: offline
Re: Fortimanager can't add a new Foritgate device. (trial license) 2019/08/09 03:18:01 (permalink)
0
Hi,
The solution to your problem is enabling "set fgfm-ssl-protocol tlsv1.0" in fortimanager.
 
And I am adding the fortigate from frotimanager.
For me, authorize device in fortimanager do not work. The only way I can add the fortigate to fortimanager is to click add device in fortimanager.
 
Settings in fortigate -
 
config system central-management
set type fortimanager
set fmg "192.168.150.102"
set fmg-source-ip 192.168.150.128
end
 
Settings in fortimanager
 
config system global
set adom-status enable
set fgfm-ssl-protocol tlsv1.0
set timezone 26
set usg enable
end
 
 
 
#12
Nikita
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/02 06:38:25
  • Status: offline
Re: Fortimanager can't add a new Foritgate device. (trial license) 2019/08/09 04:57:18 (permalink)
0
Hi, 
 
I have already tried it, but no results. :(
 
Do you use a trial license too ? 
 
 
#13
sajiby3k
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/22 03:12:30
  • Status: offline
Re: Fortimanager can't add a new Foritgate device. (trial license) 2019/08/12 06:32:40 (permalink)
0
I use trial license on both fortimanager and fortigate. Do not play with encryption.
 
Important - Do not sent register message from fortigate, then try to authorize them from fortimanager. It does not work.
 
Only works - Add device from fortimanager.
 
And when you test policy packet, you will see an error every time - fortimanager sends an invalid VPN certificate. After every policy deployment, I need to do a manual export again.
#14
Nikita
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/02 06:38:25
  • Status: offline
Re: Fortimanager can't add a new Foritgate device. (trial license) 2019/08/14 10:57:32 (permalink)
0
The very interesting moment that i tried to reproduce it on my PC with Vmware Workstation 15. 
 
I succesfully added the FTG from FMG without any aditional setups, only the network connectivity and enable FGFM protocol  on FGTs interface. 
 
But after i tried to remove this device from FMG GUI, i could't add it anymore.  
Tried to install from new template but the result is the same :( 
 
Do anybody have any thoughts about it ? 
#15
leezong_FTNT
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/15 14:55:40
  • Status: offline
Re: Fortimanager can't add a new Foritgate device. (trial license) 2019/08/15 14:57:29 (permalink)
0
Please configure below on FMG and try it again.
 
config system global
set enc-algorithm low
set fgfm-ssl-protocol tlsv1.0
end
 
#16
Nikita
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/02 06:38:25
  • Status: offline
Re: Fortimanager can't add a new Foritgate device. (trial license) 2019/08/19 05:43:06 (permalink)
0
Many thanks you! 
 
It was a solution:  
 
config system global
set enc-algorithm low
set fgfm-ssl-protocol tlsv1.0
 
 
 
#17
Jump to:
© 2019 APG vNext Commercial Version 5.5