Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ibituya
Staff
Staff

Created on ‎02-26-2024 12:22 AM

Article Id 301286

Troubleshooting Tip: Symantec Connector not connecting/status is down

 

Description

 

This article describes how to troubleshoot if the external connector for Symantec Endpoint Protection Manager (SEPM) is not connecting/the status is down.

 

Scope

 

FortiGate v7.2.4 and later

 

Solution

 

FortiGate uses TCP 8446 to poll for updates when the connection is established with Symantec Endpoint Protection Manager (SEPM). If the Symantec connector status is not coming up, verify whether traffic over TCP 8446 between FortiGate and SEPM is permitted.

On FortiGate versions before 7.0.1, the SEPM can also connect to FortiGate using a self-signed certificate. Starting FortiGate v7.0.1, certificate validation is being performed by FortiGate for the SEPM connection. If the SEPM is using a self-signed certificate without proper SAN, the SEPM connector will fail to connect.

To determine if the SEPM connector is failing due to possibly using a self-signed certificate, run the following debug commands:

diagnose debug console timestamp enable
diagnose debug application sepmd -1
diagnose debug enable

The following similar debug output lines will be shown if a self-signed certificate is used:

2024-02-26 11:38:50 SEPM sdn connector Symantec Manager getting token
2024-02-26 11:38:50 username:"admin", domain:""
2024-02-26 11:38:50 CURL preset DNS:10.81.3.170:8446:10.81.3.170
2024-02-26 11:38:50 URL: https://10.81.3.170:8446/sepm/api/v1/identity/authenticate
2024-02-26 11:38:50 [144] __curl_ssl_ctx_finalizer: global CAs are loaded.
2024-02-26 11:38:50 sepmd curl error: (60) SSL peer certificate or SSH remote key was not OK
2024-02-26 11:38:50 error detail: SSL certificate problem: self-signed certificate

 

Run a packet capture to determine the certificate details being used by the SEPM:


diagnose sniffer packet any 'x.x.x.x and port 8446' 6 0 l  <----- Where x.x.x.x is the SEPM server IP.

sepm-unknown-ca.PNG

 

If the SEPM is verified to be using a self-signed certificate and FortiGate is not accepting the connection, locate the server.crt and server.key files used by SEPM.
This usually can be found given this file path: \Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\.

From the FortiGate:

  1. Go to System -> Certificates -> Create/Import -> Remote Certificate.
  2. Upload the SEPM certificate.
  3. Apply the following CLI commands to assign the certificate on the sdn-connector:

 

config system sdn-connector

    edit <connector-name>

        set server-cert <remote-cert-name>

    next

end


Another option that can be set under sdn-connector is set server-ca-cert which will also check for the CA certificate as an additional validation.

Note:

set server-cert  and set server-ca-cert options were added starting FortiGate v7.2.4 and later.


Related document:
Symantec Endpoint connector

163
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.