Technical Tip: Importing Remote Certificate from Multiple FortiGate
| Description | This article describes FortiManager behavior when importing Remote Certificate from multiple FortiGate. |
| Scope | FortiManager. |
| Solution | FortiManager is designed to be a central management unit that can manage different versions and platforms of FortiGate. Most objects can be dynamic, which means FortiManager is able to create a per-device mapping so a different FortiGate can have a different value set for the object. The remote Certificate does not have an attribute as a dynamic object, which means that FortiManager is unable to create per-device mapping. As a result, when importing a Remote Certificate from multiple FortiGate that have the same name but unique values could cause an issue.
In this example, 2 FortiGate (FGT1 and FGT2) of which have a Remote Certificate named REMOTE_Cert_1 and is configured to be used in the Firewall Policy:
Add both FortiGate as a managed device in the FortiManager and ensure the Config Status is 'Synchronized':
After importing one of the FortiGate, in this example, FGT1 Policy Package Status will be synchronized, and REMOTE_Cert_1 can be seen in Policy & Objects -> Advanced -> Remote Certificate:
Proceed to import configuration for the second FortiGate (FGT2), and FortiManager will pop up a prompt notifying of the Object Conflict.
Note: The conflict object means the object name is the same across FortiGate, but each one has a different value. FortiManager is unable to create a per-device mapping for such an object because it does not have a dynamic attribute
Complete the import process, and from the Device Manager, only the latest imported FortiGate will be synchronized, while the other will be modified:
This is because, during the previous steps, the REMOTE_Cert_1 value was changed and updated with the latest value from the latest import. Verify the value in Policy & Objects -> Advanced -> Remote Certificate:
Note: Compare the 'CN' value from the first import and the second import. Import, the value is CN=FGT1, and the second import, the value is CN=FGT2.
Since the value of the same object has changed, FortiManager will try to install the updated value in the first FortiGate. To avoid installation of unwanted configurations, a unique object name needs to be configured to accommodate a unique value.
Note: The name REMOTE_Cert_1 is the default certificate name given by FortiGate when importing the remote certificate. To rename it, the following command can be run:
config vpn certificate remote
After the command is run on all FortiGate to change the certificate name, all FortiGate can be synchronized without issue:
Retrieve the configuration of the FortiGate and import the configuration again:
Both FortiGates are now synchronized in both Config Status and Policy Package Status. Verify further in Policy & Objects -> Advanced > Remote Certificate:
FortiManager will have 2 unique remote certificates with unique values, and subsequent installs will not try to change the remote certificate. |
