Showing posts with label FortiManager. Show all posts
Showing posts with label FortiManager. Show all posts

FortiManager task fails when MTU is changed on LAG-Interface of FortiGate HA

If you want to change the MTU of your FortiGate HA-Cluster by using the FortiManager, think about removing the HA monitored interface for that LAG-interface first. Because: When the MTU of that LAG-interface is changed, the interface goes down and comes up again. If that LAG-interface is part of the HA monitored interfaces, then your FortiGate HA will execute a HA failover. That interupts the execution of the FortiManager task and might lead to a crash of the FortiManager (reboots).

FortiManager Log shows:

1560 2021-02-03 17:10:31 [..]
1561 2021-02-03 17:10:31 information Deployment manager event Device state updates
Device fgtdev214 config status changed to OUT_OF_SYNC by aborted, devdb MODIFIED
1562 2021-02-03 17:10:31 error prod-user54 Deployment manager event Policy package install failed Installation of the device settings (null) on fgtdev214[root] failed.
1563 2021-02-03 17:10:31 [..]

If you want to avoid an unplanned FortiGate HA-failover, FortiManager crash and using diagnose dvm task repair on your FortiManager, then:

1. Schedule a maintenance window (communication & schedule a maintenance window in your monitoring- and logging-systems)
2. Remove the HA monitor interface for that LAG-interface first (using the FortiManager)
3. Then adjust the MTU on the FortiGate LAG-interface (using the FortiManager)
4. Enable the HA monitor interface for that LAG-interface again (using the FortiManager)
5. Test your new MTU, communicated the change and enable alerting/stop maintenance-window in your monitoring-systems and log-alerts.

at No comments:
Labels: , , ,

Solution for Skybox connection issue to Fortinet FortiGate or FortiManager

If you are using the Skybox (https://www.skyboxsecurity.com/) solution for your environment, during the initial setup there might be an issue in the connection from the Skybox to your Fortinet FortiGate firewalls or your or FortiManager firewall management system. Skybox uses HTTPS (XML API with SOAP) and/or SSH to connect to the Fortinet systems.

If your hardening of the Fortinet devices changed the default minimum Diffie-Hellman Exchange-Bits from 2048 to 3072, 4096 or 8192Bits, then your Skybox is not able to connect to them, after Skybox currently does not support more than 2048Bit for DH.

FortiGate Hardening of DH-Bits:

config sys global
 set dh-params 8192
end

See also the Skybox documentation "ReferenceGuide", e.g. here "Reference Guide v10.801" or an overview of the documentation of all last versions.
at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)

Monitor UniFi WLAN Access Point with PRTG with SNMPv3 Auth+Encrypted

This is a tiny guide howto monitor your UniFi wireless accesspoint, in this case a Unifi U7 pro with SNMPv3 with AES-Encryption and SHA-Auth...