Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiWeb 7.2.10 Administration Guide
    7.2.10
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Diagnosing SSL Card issues

    Diagnosing SSL Card issues

    Collect below information for further analysis:

    1. Diagnose commands for hardware SSL card:

      FortiWeb# diagnose hardware check sslcard

      Ssl card intel check Pass #intel card

      FortiWeb # diagnose hardware check sslcard

      Ssl card cp9 check Pass #cp9 card

      ##After v5.85, ssl card status can be shown with:

      FortiWeb# diagnose debug sslhardwarestatus show

      proxyd using cp9 engine #cp9 card works

      Or

      FortiWeb# diagnose debug sslhardwarestatus show

      proxyd not using engine #cp9 card does not work well

      FortiWeb # diagnose hardware cavium3 status

      Or

      FortiWeb # diagnose hardware cp9 status

      Tue Jan 18 22:07:53 2022

      kxp[0]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

      kxp[1]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

      vpn[0]:{0:0:0:0:}

      vpn[1]:{0:0:0:0:}

      ##Below commands are available but might be removed soon

      FortiWeb # diagnose hardware cp9 test 1

      cp_uio: Detect KXP device[0]

      cp_uio: Detect KXP device[1]

      cp_uio: Detect VPN device[0]

      cp_uio: Detect VPN device[1]

      Testing kxpvpn memory...

      num 1 alloc 1 done

      Done

      Testing RNG interface(bytes: 4080)...

      Done

      Testing BN_mod_exp interface...

      Testing BN_mod_exp mod 1K

      Done

      Testing BN_mod_exp mod 2K

      Done

      Testing BN_mod_exp mod 3K

      Done

      Testing BN_mod_exp mod 4K

      1.0 ops/s 0.0 MB/s

      Done

      Done

      Testing RSA_mod_exp interface...

      Testing RSA_mod_exp mod 1k

      Done

      Testing RSA_mod_exp mod 2k

      Done

      Testing RSA_mod_exp mod 3k

      Done

      Testing RSA_mod_exp mod 4k

      Done

      Done

      Testing ssl3_generate_master_secret...

      Done

      Testing ssl3_setup_key_block...

      1.0 ops/s 0.0 MB/s

      Done

      Testing tls_generate_master_secret...

      Done

      Testing tls_setup_key_block...

      Done

      Testing ECSKEY(NID:415, prime256v1)...

      Done

      Testing ECSKEY(NID:715, secp384r1)...

      Done

      Testing ECSKEY(NID:716, secp521r1)...

      1.0 ops/s 0.0 MB/s

      Done

      Testing ECSIGN(NID:415, prime256v1)...

      Testing ECSIGN(NID:715, secp384r1)...

      Testing ECSIGN(NID:716, secp521r1)...

      Testing ECVERIFY(NID:415, prime256v1)...

      Testing ECVERIFY(NID:715, secp384r1)...

      1.0 ops/s 0.0 MB/s

      Testing ECVERIFY(NID:716, secp521r1)...

      Testing AES interface...

      Done

      Testing DES interface...

      Done

      Testing 3DES interface...

      Done

      >>>> System Memory <<<<

      block[128]: 2048/2048

      block[256]: 2048/2048

      block[512]: 2048/2048

      block[1024]: 10240/10240

      block[2048]: 10240/10240

      block[4096]: 10240/10240

      block[8192]: 8192/8192

      block[16384]: 2048/2048

      block[32768]: 2048/2048

      Size: 237312 Mbytes

      >>>> Status <<<<

      kxp[0]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

      kxp[1]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

      vpn[0]:{0:0:0:0:}

      vpn[1]:{0:0:0:0:}

      RNG 1 0 0

      SSL3_GENMS 1 0 0

      SSL3_GENKM 1 0 0

      TLS_GENMS 1 0 0

      TLS_GENKM 1 0 0

      PKCE_1024 1 0 0

      PKCE_2048 1 0 0

      PKCE_4096 2 0 0

      CRT_PARAM_1024 1 0 0

      CRT_PARAM_2048 1 0 0

      CRT_PARAM_4096 2 0 0

      CRT_1024 1 0 0

      CRT_2048 1 0 0

      CRT_4096 2 0 0

      EC_SIGN 3 0 0

      EC_VERIFY 3 0 0

      ECSKEY 3 0 0

      NID_aes_128_sha1 1 0 0

      NID_des_ede3_cbc 1 0 0

      NID_des_cbc 1 0 0

    2. If you doubt that the hardware SSL card has some problem, you can disable it and try if the software SSL works well with below command:

      ##Enable high-compatibility-mode will turn off hardware SSL card

      FortiWeb# dia de sslhardwarestatus show

      proxyd using intel engine

      FortiWeb # config server-policy setting

      FortiWeb (setting) # set high-compatibility-mode enable

      FortiWeb (setting) # end

      high compatibility mode:This operation will restart proxyd and clear the current connection!

      Do you want to continue? (y/n)y

      FortiWeb # show server-policy setting

      config server-policy setting

      set high-compatibility-mode enable

      end

      FortiWeb # diagnose debug sslhardwarestatus show

      proxyd not using engine

    3. Check more detailed infomation in dmesg or /var/log/dmesg/kern.log:

      [ 50.617068] Loading QAT CONTIG MEM Module ...

      [ 50.893620] c6xx 0000:1a:00.0: qat_dev0 started 8 acceleration engines

      [ 51.508620] c6xx 0000:1b:00.0: qat_dev1 started 8 acceleration engines

      [ 51.859112] igb 0000:02:00.0 mgmt1: igb: mgmt1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX

      [ 51.862020] QAT: Stopping all acceleration devices.

      [ 51.862029] c6xx 0000:1a:00.0: qat_dev0 stopped 8 acceleration engines

      [ 51.862324] c6xx 0000:1a:00.0: Resetting device qat_dev0

      [ 51.862325] c6xx 0000:1a:00.0: Function level reset

      [ 51.965722] c6xx 0000:1b:00.0: qat_dev1 stopped 8 acceleration engines

      [ 51.965811] IPv6: ADDRCONF(NETDEV_CHANGE): mgmt1: link becomes ready

      [ 51.966034] c6xx 0000:1b:00.0: Resetting device qat_dev1

      [ 51.966034] c6xx 0000:1b:00.0: Function level reset

      [ 53.071493] c6xx 0000:1a:00.0: Starting acceleration device qat_dev0.

      [ 53.334619] c6xx 0000:1a:00.0: qat_dev0 started 8 acceleration engines

      [ 53.688343] c6xx 0000:1b:00.0: Starting acceleration device qat_dev1.

      [ 53.951619] c6xx 0000:1b:00.0: qat_dev1 started 8 acceleration engines

    Previous
    Next

    Diagnosing SSL Card issues

    Diagnosing SSL Card issues

    Collect below information for further analysis:

    1. Diagnose commands for hardware SSL card:

      FortiWeb# diagnose hardware check sslcard

      Ssl card intel check Pass #intel card

      FortiWeb # diagnose hardware check sslcard

      Ssl card cp9 check Pass #cp9 card

      ##After v5.85, ssl card status can be shown with:

      FortiWeb# diagnose debug sslhardwarestatus show

      proxyd using cp9 engine #cp9 card works

      Or

      FortiWeb# diagnose debug sslhardwarestatus show

      proxyd not using engine #cp9 card does not work well

      FortiWeb # diagnose hardware cavium3 status

      Or

      FortiWeb # diagnose hardware cp9 status

      Tue Jan 18 22:07:53 2022

      kxp[0]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

      kxp[1]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

      vpn[0]:{0:0:0:0:}

      vpn[1]:{0:0:0:0:}

      ##Below commands are available but might be removed soon

      FortiWeb # diagnose hardware cp9 test 1

      cp_uio: Detect KXP device[0]

      cp_uio: Detect KXP device[1]

      cp_uio: Detect VPN device[0]

      cp_uio: Detect VPN device[1]

      Testing kxpvpn memory...

      num 1 alloc 1 done

      Done

      Testing RNG interface(bytes: 4080)...

      Done

      Testing BN_mod_exp interface...

      Testing BN_mod_exp mod 1K

      Done

      Testing BN_mod_exp mod 2K

      Done

      Testing BN_mod_exp mod 3K

      Done

      Testing BN_mod_exp mod 4K

      1.0 ops/s 0.0 MB/s

      Done

      Done

      Testing RSA_mod_exp interface...

      Testing RSA_mod_exp mod 1k

      Done

      Testing RSA_mod_exp mod 2k

      Done

      Testing RSA_mod_exp mod 3k

      Done

      Testing RSA_mod_exp mod 4k

      Done

      Done

      Testing ssl3_generate_master_secret...

      Done

      Testing ssl3_setup_key_block...

      1.0 ops/s 0.0 MB/s

      Done

      Testing tls_generate_master_secret...

      Done

      Testing tls_setup_key_block...

      Done

      Testing ECSKEY(NID:415, prime256v1)...

      Done

      Testing ECSKEY(NID:715, secp384r1)...

      Done

      Testing ECSKEY(NID:716, secp521r1)...

      1.0 ops/s 0.0 MB/s

      Done

      Testing ECSIGN(NID:415, prime256v1)...

      Testing ECSIGN(NID:715, secp384r1)...

      Testing ECSIGN(NID:716, secp521r1)...

      Testing ECVERIFY(NID:415, prime256v1)...

      Testing ECVERIFY(NID:715, secp384r1)...

      1.0 ops/s 0.0 MB/s

      Testing ECVERIFY(NID:716, secp521r1)...

      Testing AES interface...

      Done

      Testing DES interface...

      Done

      Testing 3DES interface...

      Done

      >>>> System Memory <<<<

      block[128]: 2048/2048

      block[256]: 2048/2048

      block[512]: 2048/2048

      block[1024]: 10240/10240

      block[2048]: 10240/10240

      block[4096]: 10240/10240

      block[8192]: 8192/8192

      block[16384]: 2048/2048

      block[32768]: 2048/2048

      Size: 237312 Mbytes

      >>>> Status <<<<

      kxp[0]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

      kxp[1]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

      vpn[0]:{0:0:0:0:}

      vpn[1]:{0:0:0:0:}

      RNG 1 0 0

      SSL3_GENMS 1 0 0

      SSL3_GENKM 1 0 0

      TLS_GENMS 1 0 0

      TLS_GENKM 1 0 0

      PKCE_1024 1 0 0

      PKCE_2048 1 0 0

      PKCE_4096 2 0 0

      CRT_PARAM_1024 1 0 0

      CRT_PARAM_2048 1 0 0

      CRT_PARAM_4096 2 0 0

      CRT_1024 1 0 0

      CRT_2048 1 0 0

      CRT_4096 2 0 0

      EC_SIGN 3 0 0

      EC_VERIFY 3 0 0

      ECSKEY 3 0 0

      NID_aes_128_sha1 1 0 0

      NID_des_ede3_cbc 1 0 0

      NID_des_cbc 1 0 0

    2. If you doubt that the hardware SSL card has some problem, you can disable it and try if the software SSL works well with below command:

      ##Enable high-compatibility-mode will turn off hardware SSL card

      FortiWeb# dia de sslhardwarestatus show

      proxyd using intel engine

      FortiWeb # config server-policy setting

      FortiWeb (setting) # set high-compatibility-mode enable

      FortiWeb (setting) # end

      high compatibility mode:This operation will restart proxyd and clear the current connection!

      Do you want to continue? (y/n)y

      FortiWeb # show server-policy setting

      config server-policy setting

      set high-compatibility-mode enable

      end

      FortiWeb # diagnose debug sslhardwarestatus show

      proxyd not using engine

    3. Check more detailed infomation in dmesg or /var/log/dmesg/kern.log:

      [ 50.617068] Loading QAT CONTIG MEM Module ...

      [ 50.893620] c6xx 0000:1a:00.0: qat_dev0 started 8 acceleration engines

      [ 51.508620] c6xx 0000:1b:00.0: qat_dev1 started 8 acceleration engines

      [ 51.859112] igb 0000:02:00.0 mgmt1: igb: mgmt1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX

      [ 51.862020] QAT: Stopping all acceleration devices.

      [ 51.862029] c6xx 0000:1a:00.0: qat_dev0 stopped 8 acceleration engines

      [ 51.862324] c6xx 0000:1a:00.0: Resetting device qat_dev0

      [ 51.862325] c6xx 0000:1a:00.0: Function level reset

      [ 51.965722] c6xx 0000:1b:00.0: qat_dev1 stopped 8 acceleration engines

      [ 51.965811] IPv6: ADDRCONF(NETDEV_CHANGE): mgmt1: link becomes ready

      [ 51.966034] c6xx 0000:1b:00.0: Resetting device qat_dev1

      [ 51.966034] c6xx 0000:1b:00.0: Function level reset

      [ 53.071493] c6xx 0000:1a:00.0: Starting acceleration device qat_dev0.

      [ 53.334619] c6xx 0000:1a:00.0: qat_dev0 started 8 acceleration engines

      [ 53.688343] c6xx 0000:1b:00.0: Starting acceleration device qat_dev1.

      [ 53.951619] c6xx 0000:1b:00.0: qat_dev1 started 8 acceleration engines

    Previous
    Next