Troubleshooting Tip: Understanding 'fgfm diagnose debug' log

1. Run the following 'fgfm diagnose debug' in the FortiManager CLI console or SSH session:

diagnose debug application fgfmd 255

diagnose debug enable

    
To disable the debug processes:

diagnose debug disable

2. The user may try 'restart fgfmd daemon from FortiGate' or 'refresh device from FortiManager' to reinitiate the connection:

fnsysctl killall fgfmd <----- This will restart the fgfmd daemon from FortiGate.

FortiManager GUI -> Device Manager -> Select the FortiGate device -> More -> Refresh Device.

3. From the debug output, it will list down what are the CA Certificates that are available to broadcast.

• If 'fgfm-ca-cert' is set in 'conf sys global', FortiManager will show 'custom CA certificate'.

• If 'fgfm-ca-cert' is unset in 'conf sys global', FortiManager will only show 'default CA certificate'.

• If 'fgfm-cert-exclusive' is enabled in 'conf sys global', FortiManager will only use the configured 'fgfm-ca-cert' and 'fgfm-local-cert'.

4. It will check for 'peer subject' and 'peer issuer' certificates received from FortiGate.

• If the 'peer subject' certificate has invalid CN value (missing/not matching FortiGate serial number), FortiManager will prompt error '... serial number (FGVMXXXXX) in 'get' message doesn't match subject CN (x.x.x.x) in peer's certificate.'.

• If the 'peer issuer' certificate is not present in FortiManager, it will prompt the error '... unable to get local issuer certificate'.

5. Once certificate verification is successful, FortiManager will proceed to 'Create session'.

Related articles:

• Troubleshooting Tip: How to troubleshoot connectivity issues between FortiGate and FortiManager
  
• Technical Tip: Setup custom certificate for FGFM protocol