Troubleshooting Tip: Resolving a connectivity issue between an Azure or AWS FortiGate and an FortiClient EMS and FortiManager where the 'Fortinet_Factory' certificate shows as 'FortiGate'

Since FortiGate for AWS and FortiGate for Microsoft Azure on-demand models receive the virtual machine license from FortiCare during the bootup process.

In some cases, the 'Fortinet_Factory' certificate CN shows as 'FortiGate' instead of the name of the device. This results in a connectivity issue between the FortiGate and the FortiClient EMS or FortiManager due to a certificate validation failure.

This occurs intentionally, as FortiGate virtual machines with no specific S/N certificate cannot establish a fabric connector to a FortiClient EMS.

   diagnose debug reset
   diagnose debug console timestamp enable
   diagnose debug application fgfmd -1
   diagnose debug enable

This debug can be used to verify the connection attempt and observe certificate validation behavior during the communication between FortiGate and EMS or FortiManager.

   diagnose debug disable

To resolve this issue, manually download the virtual machine license on the FortiGate with the following command (this updates the 'Fortinet_Factory' certificate CN with the serial number of the FortiGate):

diagnose debug vm-print-license

SerialNumber: FGVMXXXXXXXX <----- To find the serial number.

execute vm-license <FGT SN> <----- Use the Serial Number from above.

This operation will reboot the system !

Do you want to continue? (y/n)y

If the command 'execute vm-license' fails, make sure that the FortiGate can resolve the domain name:

execute ping directregistration.fortinet.com

If the command 'execute vm-license' fails, return below error: Failed to download VM license.

Make sure that there is a route point to port1. This is because Azure metadata requests must use port1, but the default route is not port1. Try to add a static route for the metadata service.

Add commands below:

config router static
    edit
        set dst 169.254.169.254 255.255.255.255
        set device "port1"
    next
end

If it is a hardware FortiGate, apply the following command:

execute vpn certificate local generate default-ssl-key-certs

• Check the output of:

get vpn certificate local details

• Check if the CN fields are changing or not, and if not, then open a ticket to the FortiGate team.

Note:

This command will reboot the device. It is recommended to run this during the maintenance window or outside of business hours to avoid impact on services.

This option was removed from the latest firmware versions: FortiGate v7.6.2, v7.4.6, and v7.2.10. When working with these versions, reload the .lic file to the appliance to regenerate the certificate CN.

Below is the screenshot of the upload license in v7.4.7.

This command cannot be used in case of VM on-prem and will produce the following error: 'Forticare response error 57'.

However, this error can sometimes be seen in the AWS/Azure environment as well, in which case the manual process needs to be followed from the GUI, as demonstrated in Technical Tip: Uploading the FortiGate-VM license.