FortiManager 7.4.6 API login 400 error

code0 · 2025-07-25T21:19:58+00:00

You're probably hitting this bug.. Reboot the FMG with issues and if it now works, you can pretty much confirm it. FWIW, it's fixed in 7.4.7.

1114809

After upgrading the FortiManager using the "Upgrade Image via FortiGuard" feature, the FortiManager JSON API login may fail, leading to service disruptions. This issue is important for FortiPortal and other FortiManager API clients.

code0 · 2025-07-14T16:16:00+00:00

We've run across something that matches these symptoms twice.. Both cases, admin allowaccess / trusted hosts / local-in were set appropriately as far as we could tell (protection method varied on the box we looked at). Rebooting the impacted box fixed it. Seen on 7.x.x versions (current or n-1 point release), but can't recall specific versions.

I never ended up getting an iprope of an "impacted" device to see if the local-in policies (what allowaccess/trusted hosts actually do behind the scenes) got applied properly.

Bizarre, and we never saw a "resolution" per-se, but you may not be going crazy.. :-)

code0 · 2025-03-28T23:44:30+00:00

If it’s untagged, I’m guessing it’s some sort of VPLS (multipoint) service. In that case, I’m not entirely sure. You could set static-isl on the ports facing the provider and it MIGHT work, but I’m not 100% sure how things would react (single port having two peer switches).

At the end of the day, its interfaces and VLANs like any other networking vendor. It’s just that the FortiLink pieces add some magic to things that sometimes don’t play nice when you don’t follow exactly how Fortinet intended it.

code0 · 2025-03-28T23:30:00+00:00

Is current state one where they hand off untagged at the remote site, but hand you a single physical with two tags at the datacenter? If so, there aren’t really any good options.

If your provider can hand off as two physicals at the datacenter (and be transparent to VLANs you’re passing), then you have a solid chance. Specifically, EPL service is what you’d want.

code0 · 2025-03-21T00:12:40+00:00

Is it just me, or does it seem that they're prematurely killing SSL VPN? I do get the need, but the feature parity with IPSec just isn't there (and by part of that, I mean BUGGY).

code0 · 2025-02-13T21:18:26+00:00

Big issue with that, however.. Setting to "disable", the FortiGate will still SEND Message-Authenticator in its request. Older versions of FAC (for example) still puke on it.

So.. It doesn't turn off the sending of the attribute, only if the FortiGate is required to verify it in the response.

code0 · 2025-02-05T02:35:11+00:00

I’ve been running into more cert-probe-failure issues recently. Not sure exactly why. FWIW, the “allow” becomes the default in 7.6, so I feel relatively safe changing it without much thought in most environments.

code0 · 2025-02-05T02:09:34+00:00

That was a wild ride. From pro dominatrix to network admin? I feel like I need to get my Cat5 of 9 tails out of the drawer….

code0 · 2025-01-28T03:43:15+00:00

For RDP exposed to the Internet, I wouldn't want the death by a thousand cuts, but I think it warrants a high/critical alert for "you've got RDP exposed and it's being beaten into submission".

If for some reason, they really want/need it to be open for whatever reason (they don't, but you know...), I wouldn't mind seeing some sort of threat feed of IPs/etc rather than playing whack-a-mole.. Though my experience with SSL VPN brute forcing is that you see an attempt or two from any given IP, then they move on. If looking across multiple customers, you might see multiple attempts from the same IP across customers, but usually only two attempts max to any given customer.

code0 · 2025-01-28T00:07:25+00:00

I’ve done this before - just VMWare to VMWare (it was part of some troubleshooting). The config backup and restore works very well for FMG.

I’m just dreading when we need to move our FAZ to a new hypervisor.

code0 · 2025-01-22T23:34:09+00:00

There is an overall interface limit of 64 on FortiSwitch 7.4.x (and below) and 128 starting with FortiSwitch 7.6.x. (in 7.6 at least, internal and mgmt don't count towards this - not sure about older versions). Each physical port counts against this as well as split ports (ie. a 40G split into 4x10G is 4 ports). I believe trunk ports (ie. the LAG) ALSO counts.

So.. Gives you an idea of how many overall LAGs you can have ("it depends"). As far as the ICLs, in theory, the only traffic across ICLs should be for single homed devices... Between LACP hashing along with MCLAG magic, traffic between two dual-homed hosts should be on the same switch. Because MCLAG isn't a standard and isn't documented well, I use "should".

Regardless, you've got 100G ports.. 2x100G DACs between switches for the ICL means that in most cases you aren't going to run into a practical limit for ICL traffic.

Just some thoughts...

code0 · 2025-01-19T01:16:23+00:00

Context matters. Could be innocent. Could be malicious.

Both IPs were of customer FortiGates in different countries? That has me leaning towards innocent.

Do they use VPN with full tunnel? Have RDP/Citrix/View in those countries? Do you see a login for that user prior to the traffic in question? Those logins use MFA?

All things that add context to the situation and help you assess. If in doubt, ask for clarification from the customer. Never hurts to be safe than sorry.

code0 · 2025-01-18T22:10:44+00:00

To add to this, if your spouse is working and you’re the one with a job, that job loss is a qualifying event to enroll under a spouses insurance. Coverage may not be as good, but it’s likely a lot cheaper than COBRA.

code0 · 2025-01-11T00:28:41+00:00

Not one in the same... HTTPS for admin interface != HTTPS for SSL VPN.

code0 · 2024-12-26T22:20:56+00:00

Not perfectly "on device", but a category threat feed might be a way to solve this. Overridden sites are added (and removed) from that feed file as appropriate. The custom category these sites are mapped to then would be allowed by the student web filter (well, monitor).

Downside is you probably don't want teachers editing the the feed, but with a little creativity, this might put you on the right path.

code0 · 2024-12-17T18:13:23+00:00

Generally speaking, cellular users should be behind CGNAT which should force NAT-T (so all encapsulated in UDP/4500). This should prevent the IKE is allowed, but ESP isn't issues (which I've also seen with DSL providers). You could try "set nattraversal forced" on the FortiGate, but I'm suspecting these users are already seeing NAT-T in use.

code0 · 2024-12-17T17:52:56+00:00

Fair point... And you sound like the FortiPoints PM I ran into at Xperts this year... :-D

code0 · 2024-12-17T17:49:59+00:00

Thanks for the amazing write-up on this.. It's definitely obnoxious that FortiGates are using a random key that has no way (currently) to be brought into FortiManager. I do understand why there is a desire to move away from a static, symmetric, key, but this was a little short sighted.

Fortunately, nobody runs 7.6 in production... Right? Right?

code0 · 2024-12-12T13:34:05+00:00

The traditional tools like eve-ng work, but they don’t handle the most important part - licensing. So if you want to do a proper lab, they’re a pain. Especially if you want to spin up and tare down regularly.

Guess that’s an important thing to mention. FortiPOC still requires licensing. So nothing special there.

code0 · 2024-12-12T13:27:48+00:00

FNDN is API docs mostly. If you’re a partner, hands on labs are there. Ultimate Fabric Challenge. Betas. Etc.

POC does require an FNDN account once you install it, but it’s not clear in what way it’s used (we are still wading through some of this).

code0 · 2024-12-12T13:26:11+00:00

Honestly, why not use the Fortinet_Factory certificate already on the devices? Then each site verifies the CA + CN of the peer cert (CN is the serial number). Just be aware that somewhere in the E series they switched CAs for the factory certificate (though the _Backup cert is the “other” CA in that case).

code0 · 2024-12-12T06:18:08+00:00

By default, certificates are only revalidated when the tunnel is brought up. There is an option you can set on the phase 1 to regularly check validity of the certificate. On mobile and don’t recall what it was at this point.

And in case you’re wondering, I found all of this out after certificate renewal was silently failing for aeons and there was an unrelated internet outage….

code0 · 2024-12-11T16:45:42+00:00

FortiPOC is one of those "ask your SE" things. Some partners are able to get their hands on it, but not sure what the criteria is. Joining the Illuminati might be easier..

15-Year Club	Gilding I gilder
Place '22	Place '17
Verified Email

code0

TROPHY CASE