FortiGate防火墙联网后可能出现与FortiGuard云端通讯异常,导致无法正常更新服务的情况。
先尝试通过防火墙ping FortiGuard云端服务器
# execute ping service.fortiguard.net
# execute ping update.fortiguard.net
输入以下命令进行debug,会显示FortiGate防火墙与云端交互的信息:
# diagnose debug reset
# diagnose debug application update -1
# diagnose debug enable
# fnsysctl killall updated
# execute update-now
如果调试日志显示以下内容,则表明FortiGate无法与FortiGuard服务器建立TLS握手,并且可以看到以下错误消息:
# upd_daemon.c[323] do_update-Starting now UPDATE (final try)
# upd_act.c[275] __upd_act_update-Trying FDS 173.243.138.66:443 with AcceptDelta=0
# upd_comm.c[215] tcp_connect_fds-Proxy tunneling is disabled
# upd_comm.c[529] ssl_connect_fds-Poll event error:19
# upd_comm.c[618] upd_comm_connect_fds-Failed SSL connect
可能的原因之一是WAN接口上的MTU导致此问题。可以尝试通过更改接口MTU值可能会解决TLS连接建立问题。
更改接口的MTU值,请参考以下命令:
# config system interface
# edit wan1
# set mtu-override enable
# set mtu 1462
# end
重新输入前面的Debug命令查看最新的交互信息:
# diagnose debug reset
# diagnose debug application update -1
# diagnose debug enable
# fnsysctl killall updated
# execute update-now
可以看到FortiGate可以与FortiGuard正常交互:
do_setup[340]-Starting SETUP
upd_fds_load_default_server[924]-Addr=[173.243.141.6], weight=1104122476
upd_fds_load_default_server[941]-Resolve fds ip address OK.
upd_fds_load_default_server6[1046]-Resolve fds ipv6 address failed.
upd_comm_connect_fds[455]-Trying FDS 173.243.141.6:443
[267] __ssl_init: Done
[113] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
[480] ssl_ctx_use_builtin_store: Loaded Fortinet Trusted Certs
[486] ssl_ctx_use_builtin_store: Enable CRL checking.
[493] ssl_ctx_use_builtin_store: Enable OCSP Stapling.
[755] ssl_ctx_create_new_ex: SSL CTX is created
[782] ssl_new: SSL object is created
[166] ssl_add_ftgd_hostname_check: Add hostname checking 'usupdate.fortinet.net'
[343] __ssl_crl_verify_cb: CRL not found. Depth 0
__upd_peer_vfy[330]-Server certificate OK.
__upd_peer_vfy[330]-Server certificate OK.
__upd_peer_vfy[330]-Server certificate OK.
__upd_peer_vfy[330]-Server certificate OK.
[383] __bio_mem_dump: OCSP status good
pack_obj[185]-Packing obj=Protocol=3.0|Command=VMSetup|Firmware=FGVMK6-FW-7.00-0157|SerialNumber=FGVM01TMYYYYYYYY|Connection=Internet|Address=z.z.z.z:0|Language=en-US|TimeZone=8|UpdateMethod=1|Uid=f2d7fc26af8a4b9c826f378ece503a01|VMPlatform=KVM
get_fcpr_response[297]-Unpacked obj: Protocol=3.0|Response=200|Firmware=FPT033-FW-6.8-0169|SerialNumber=FPT-FGT-DELL1004|Server=FDSG|Persistent=false|PEER_IP=x.x.x.x
get_fcpr_response[337]-Wan ip=[x.x.x.x]
upd_vm_cfg_set_status[235]-Saved status code 200
upd_comm_disconnect_fds[496]-Disconnecting FDS 173.243.141.6:443
[203] __ssl_data_ctx_free: Done
[1046] ssl_free: Done
[195] __ssl_cert_ctx_free: Done
[1056] ssl_ctx_free: Done
[1037] ssl_disconnect: Shutdown
do_setup[350]-SETUP successful