This article describes how to troubleshoot if the external connector for Symantec Endpoint Protection Manager (SEPM) is not connecting/the status is down.
FortiGate v7.2.4 and later
FortiGate uses TCP 8446 to poll for updates when the connection is established with Symantec Endpoint Protection Manager (SEPM). If the Symantec connector status is not coming up, verify whether traffic over TCP 8446 between FortiGate and SEPM is permitted.
On FortiGate versions before 7.0.1, the SEPM can also connect to FortiGate using a self-signed certificate. Starting FortiGate v7.0.1, certificate validation is being performed by FortiGate for the SEPM connection. If the SEPM is using a self-signed certificate without proper SAN, the SEPM connector will fail to connect.
To determine if the SEPM connector is failing due to possibly using a self-signed certificate, run the following debug commands:
diagnose debug console timestamp enable
diagnose debug application sepmd -1
diagnose debug enable
The following similar debug output lines will be shown if a self-signed certificate is used:
2024-02-26 11:38:50 SEPM sdn connector Symantec Manager getting token
2024-02-26 11:38:50 username:"admin", domain:""
2024-02-26 11:38:50 CURL preset DNS:10.81.3.170:8446:10.81.3.170
2024-02-26 11:38:50 URL: https://10.81.3.170:8446/sepm/api/v1/identity/authenticate
2024-02-26 11:38:50 [144] __curl_ssl_ctx_finalizer: global CAs are loaded.
2024-02-26 11:38:50 sepmd curl error: (60) SSL peer certificate or SSH remote key was not OK
2024-02-26 11:38:50 error detail: SSL certificate problem: self-signed certificate
Run a packet capture to determine the certificate details being used by the SEPM:
diagnose sniffer packet any 'x.x.x.x and port 8446' 6 0 l <----- Where x.x.x.x is the SEPM server IP.
If the SEPM is verified to be using a self-signed certificate and FortiGate is not accepting the connection, locate the server.crt and server.key files used by SEPM.
This usually can be found given this file path: \Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\.
From the FortiGate:
config system sdn-connector
edit <connector-name>
set server-cert <remote-cert-name>
next
end
Another option that can be set under sdn-connector is set server-ca-cert which will also check for the CA certificate as an additional validation.
Note:
set server-cert and set server-ca-cert options were added starting FortiGate v7.2.4 and later.
Related document:
Symantec Endpoint connector
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.