New Member

Question

Adding Fortigate VM eval to FortiManager VM eval

Forum|Forum|1 year ago
February 11, 2025
13 replies
9614 views

Hi everyone,

I am trying to add a Fortigate VM eval, generated via the FortiCloud account to the FortiManager VM eval, also generated via the FortiCloud account. So, both units are "self-generated" evals. I am not talking about evals obtained through the local supplier. It is not working!!!

From the debug output on FGM, it seems like the FG is not sending any certificate to the FGM while trying to setup communication via FGFM.

This is a debug output from the FGM:

2025-02-11 06:44:29 Use cert idx=0 by peer_ca = 1 2025-02-11 06:44:29 __info_callback,993: role=svr,state=23, TLSv1.3 SSLv3/TLS write certificate 2025-02-11 06:44:29 __info_callback,993: role=svr,state=40, TLSv1.3 TLSv1.3 write server certificate verify 2025-02-11 06:44:29 __info_callback,993: role=svr,state=36, TLSv1.3 SSLv3/TLS write finished 2025-02-11 06:44:29 __info_callback,993: role=svr,state=46, TLSv1.3 TLSv1.3 early data 2025-02-11 06:44:29 __info_callback,993: role=svr,state=46, TLSv1.3 TLSv1.3 early data 2025-02-11 06:44:29 TLSv1.3 write fatal alert: unknown 2025-02-11 06:44:29 fw_proto_ssl.c,1026: TLSv1.3 error 2025-02-11 06:44:29 fw_proto_ssl.c,__get_error,1615, err=167772359, error:0A0000C7:SSL routines::peer did not return a certificate. 2025-02-11 06:44:29 fw_proto_ssl.c,__get_error,1629, ret=-4, error=1, errno=0,Success. 2025-02-11 06:44:29 proxy_session.c,__proxy_session_cleanup, 118:cnt=0, session=0x558f996106bc.

On FG unit I can see the FGM is resetting the connection:

FGFMs: setting session 0x5578e5f67440 exclusive=0 FGFMs: Connect to 10.100.100.20:541, local 10.100.100.21:10514. FGFMs: set_fgfm_sni SNI<fortinet-ca2.fortinet.com> FGFMs: Load Cipher [ALL:!RC4:!EXPORT:@STRENGTH] FGFMs: Load TLS 1.3 Cipher [TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256] FGFMs: Set self_initiated = 1 FGFMs: before SSL initialization FGFMs: CA to broadcast: subject fortinet-subca2001, issuer fortinet-ca2 FGFMs: Broadcast 1 CA subject names to FMG FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS read server hello FGFMs: SSLv3/TLS write change cipher spec FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS read server hello FGFMs: TLSv1.3 read encrypted extensions FGFMs: SSLv3/TLS read server certificate request FGFMs: Verified CA certificate 1: (subject: fortinet-subca2001, issuer: fortinet-ca2) FGFMs: Verified peer certificate 0: (subject: *****, issuer: fortinet-subca2001) FGFMs: SSLv3/TLS read server certificate FGFMs: TLSv1.3 read server certificate verify FGFMs: SSLv3/TLS read finished FGFMs: SSLv3/TLS write client certificate FGFMs: SSLv3/TLS write finished FGFMs: SSL negotiation finished successfully FGFMs: client:send: get auth serialno=***** mgmtid=00000000-0000-0000-0000-000000000000 platform=FortiGate-VM64-KVM fos_ver=700 minor=6 patch=2 build=3462 branch=3462 maxvdom=2 fg_ip=10.100.100.21 hostname=***** harddisk=yes biover=04000002 harddisk_size=32768 logdisk_size=32124 mgmt_mode=normal enc_flags=0 mgmtip=10.100.100.21 mgmtport=443   FGFMs: [__get_error:1169] error=5, errno=104,Connection reset by peer. FGFMs: [__get_error:1169] error=5, errno=32,Broken pipe. FGFMs: SSL Alert read: fatal unknown FGFMs: Cleanup session 0x5578e5f67440, 10.100.100.20. FGFMs: Destroy session 0x5578e5f67440, 10.100.100.20.

Both units are running FortiOS v7.6.2.

I have tried also with versions 7.4.5 and FG version 7.2.10. No success!

I have gone through all the documentation and know everything about changes from the >= 7.4.6 and peer certificate SN validation, low encryption algorithms, etc. Nothing worked!!!

I have to mention that adding a production or PAYG FG in Azure works like a charm (even with the custom certificates generated via local PKI). So, my guess is that alongside other limitations of FG VM eval (e.g., maximum of 3 routes, 1 CPU and 2 GB of RAM), you cannot mange this FG VM with FGM. Apparently, this had worked before (at least to other folks on the Internet), but it seems like it does not work anymore.

Anyone have had any luck with this setup?

Thank you!

AEK

SuperUser

Hi Dane

I'm not sure if it will help but you may try use TLSv1.2 instead.

FortiGate:

config system global
set ssl-min-proto-version TLSv1-2
end

FortiManager:

config system global
set fgfm-ssl-protocol tlsv1.2
end

Otherwise the workaround below is also worth a try, it should help when using FMG trial, even if the shown case is not exactly the same as yours.

https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-VM-Trial-License-and-FortiGate/ta-p/336811

Hope it helps.

AEK

dingjerry_FTNT

Staff

Hi @Great_Dane ,

First of all, let's use FMG as the abbreviation for FortiManager.

Could you please run the following commands on FMG for a try?

config system global

set fgfm-peercert-withoutsn enable

end

Great_DaneAuthor

New Member

@AEK - I tried this, no luck :) It is actually saying "hey, don't use any TLS version below this configured", but if both units support and can negotiate higher version of TLS, they will do it. In this case, both devices will just negotiate TLS v1.3, and won't use anything below TLS v1.2, in case peer does not support it.

@dingjerry_FTNT - yes, you are absolutely right. I thought FG and FMG is clear, but yes: FG = Fortigate, FMG = FortiManager. Regarding your suggestion..., this command has been removed since FortiOS v7.4.6, and I am running v7.6.2, but... I have been trying with v7.4.5, and with the command suggested, just to rule out any possible misconfiguration with certificates, because I know how things may get picky when it comes down to PKI.

So, once again, both devices are running FortiOS v7.6.2. I have also provisioned another Fortigate in Azure with the PAYG license, just to make sure I am not crazy and not doing anything wrong here. Fortigate Azure successfully authenticates to FortiManager with custom certificate, and vice-versa.

This is what the current configuration on the FMG looks like:

config system global     set fgfm-ca-cert Root_CA_LAB     set fgfm-cert-exclusive enable     set usg enable end

I have also tried with the "least restrictive" options, such as:

set ssl-low-encryption enable set fgfm-deny-unknown disable set fgfm-ssl-protocol sslv3

Nothing worked!

It is paramount to notice that TLS handshake is not failing (you can see that from the Fortigate and FortiManager logs). It is authentication that is failing, and that is because Fortigate is not sending any certificate to the FortiManager. Just like it is "programmed" to act like that with this type of EVAL license.

It is very frustrating and time consuming when guys from Fortinet decide to change something and don't document it. I bet this is something that just ain't working anymore, but they don't mention this in any documentation, whatsoever.

Great_DaneAuthor

New Member

Another interesting thing to note is the default certificates that comes with the Fortigate VM eval and the licensed ones. Within the System > Certificates the non-eval FG contains a local certificate named "Fortinet_Factory" issued by the fortinet-subca2001 with the CN equal to the SN (something that is pre-req for the FortiOS version >= 7.4.6). The FG eval comes with the same certificate but the main difference is the issuer, which is "support", and the CN equals to "Fortigate".

If we look at the debug output on the FortiManager, we can see that the certificate being requested has to be issued from "fortinet" or "fortinet-ca2".

This can be seen here:

2025-02-11 13:27:23 __info_callback,993: role=svr,state=0, TLSv1.3 before SSL initialization 2025-02-11 13:27:23 __info_callback,993: role=svr,state=0, TLSv1.3 before SSL initialization 2025-02-11 13:27:23 Got client SNI information : sni=fortinet-ca2.fortinet.com 2025-02-11 13:27:23 __info_callback,993: role=svr,state=20, TLSv1.3 SSLv3/TLS read client hello 2025-02-11 13:27:23 __info_callback,993: role=svr,state=22, TLSv1.3 SSLv3/TLS write server hello 2025-02-11 13:27:23 __info_callback,993: role=svr,state=35, TLSv1.3 SSLv3/TLS write change cipher spec 2025-02-11 13:27:23 __info_callback,993: role=svr,state=46, TLSv1.3 TLSv1.3 early data 2025-02-11 13:27:23 __info_callback,993: role=svr,state=46, TLSv1.3 TLSv1.3 early data 2025-02-11 13:27:23 Got client SNI information : sni=fortinet-ca2.fortinet.com 2025-02-11 13:27:23 __info_callback,993: role=svr,state=20, TLSv1.3 SSLv3/TLS read client hello 2025-02-11 13:27:23 __info_callback,993: role=svr,state=22, TLSv1.3 SSLv3/TLS write server hello 2025-02-11 13:27:23 __info_callback,993: role=svr,state=37, TLSv1.3 TLSv1.3 write encrypted extensions 2025-02-11 13:27:23       CA issuer to broadcast: support 2025-02-11 13:27:23       CA issuer to broadcast: fortinet-ca2 2025-02-11 13:27:23       CA issuer to broadcast: fortinet-ca2 2025-02-11 13:27:23 Svr broadcast 3 CA subject names to peer 2025-02-11 13:27:23 __info_callback,993: role=svr,state=25, TLSv1.3 SSLv3/TLS write certificate request 2025-02-11 13:27:23 Remote CA subject is /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=fortinet-subca2001/emailAddress=support@fortinet.com. 2025-02-11 13:27:23 issuer matching...try next if not match... local_issuer(fortinet-subca2001), remote_CA_subject(fortinet-subca2001) 2025-02-11 13:27:23 CA issuer matched, local=remote=fortinet-subca2001 2025-02-11 13:27:23 Find cert idx=0, peer_ca = 1 2025-02-11 13:27:23 __use_cert,617: start idx = 0

Since the Fortigate VM has the Fortinet_Factory certificate signed by the Fortinet, but the CN or SAN does not equal the FG's SN, this cannot work. So, I would say this is a bug or something that comes by design with the evaluation version. Anyhow, not really funny.

By looking at the:

Permanent trial mode for FortiGate-VM | FortiGate / FortiOS 7.6.2 | Fortinet Document Library

It can bee seen that low encryption operation should not apply to the GUI and FGFM, which implies you should be able to add it to the FortiManager :)

I would really like to hear if someone have had any luck with this setup.

AEK

SuperUser

Does regenerating the certificates helps in anything.

Example below.

https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/663527/regenerate-default-certificates

Hope it helps.

AEK

Great_DaneAuthor

New Member

Unfortunately, it does not.

Basically, "Fortinet_Factory" certificate comes signed by "fortinet-subca2001", which actually means in order to be able to re-generate it we would need to have "fortinet-subca2001" private-key installed in each and every Fortigate, which is not the case for obvious reasons. That certificate comes probably pre-built with the image.

We can only re-generate self-signed certificates.

Thanks for the help, anyway.

ricvil

New Member

The Fortigate Trial has other problems (like pushing configs that end with FAIL) but adding it to Fortimanager is possible. For me the solution was to ssh into Fortimanager and then execute:

config sys global
set fgfm-peercert-withoutsn enable
end

After this I was able to test it both ways...from FortiGate Trial by adding the IP of FortiManager, and from FortiManager by adding the IP of the FortiGate Trial. Just make sure you added FMG-Access to the interface on the FortiGate.

AEK

SuperUser

Unluckily starting in v7.6.2/v7.4.6/v7.2.10, the fgfm-peercert-withoutsn command is no longer supported.

https://community.fortinet.com/t5/FortiManager/Technical-Tip-Setup-custom-certificate-for-FGFM-protocol/ta-p/242730

AEK

Nur

Staff

Hi,

Possible for you to set fgfm-deny-unknown as disable in FortiManager ?

config system global
set fgfm-deny-unknown disable
end

Fern-X

New Member

Hi @Nur

"fgfm-deny-unknown" is already set to "disable".

Thanks!

Nur

Staff

Hi,

1. Please check the FortiGate Serial Number at FGT Dashboars. o.

2. Go to System -> Certificates -> check "Fortinet_Factory" cert and expand to check the CN=<value is it a correct FGT Serial No.>

If not same, then at FGT run CLI command:

# get sys status <--------- copy FGT Serial No. Eg: FGTAWSXXXX

# exe vm-license <copied FGT Serial No.> <--------- this will trigger reboot FGT.

Eg:

exe vm-license FGTAXXXXXXX

Once FGT rebooted, go to System -> Certificates -> check "Fortinet_Factory" cert and expand to check is it the CN=FGTAXXXXXXXX

Great_DaneAuthor

New Member

Hi Nur,

Hm... I can confirm the CN for the "Fortinet_Factory" and the SN do not match. The CN for the "Fortinet_Factory" is "FortiGate". I wonder if this is a bug. It would be great if anyone else could confirm that on version 7.6.2 (but have also tried other version, like 7.4.5, etc.) they are facing same issue.

Regarding the suggested commands; I get "Failed to downlaod VM license".

Rub_aprendicia

Explorer

HI everyone,

i would repeat this post from @@AlexFerenX

"

> I would really like to hear if someone have had any luck with this setup.

Any luck?

"

Because, NOBODY has configured FMG KVM with permanent trial version 7.6.2 that register with FGT 7.6.2 KVM with permanent Trial version.

(i have configured FMG KVM with trial version 7.6.1 with FortiGate KVM trial version 7.6.2, but, there are a lot of BUGs in FMG.7.6.1 and it is not support the FGT 7.6.2)

Thanks,

Great_DaneAuthor

New Member

I have not worked with Fortigate for quite some time, but I had to come back to it because of a project I am currently working on.

In the past it was more like better not to have a demo version of FG at all, because it was full of bugs to that level that it would have been better if it had been forbidden by the law then someone able to download it.

Unfortunately, I see over the past few years nothing changed. I really don't know why Fortinet still sticks to this stripped down versions of their demo products, which works criminally bad, and does not offer a full-version of a product with limited BW capabilities, like other vendors do. This would be more than enough to have a decent lab environment you can use for PoC and lab testing. Just frustrating and discouraging for any engineer. Too shame!

mihau

New Member

I have the same opinion after spending many hours attempting to deploy demo versions of FortiGate and FortiManager in my demo environment (both as AWS instances and KVM VMs). It was an absolutely painful experience that really doesn't paint Fortinet in a good light, especially for someone who tries to promote their products.

Rub_aprendicia

Explorer

And....

If you wish download new certificates created by you with the SN in the CN.

You can create the CSR for the FMG, without problems, and you can download the certificate and the root.ca

BUT....., When you create the CSR for the FGT, the RSA size to 512 is ONLY OPTION for the FGT, this size limitation is very important, because a lot of C.A. doesnt work with this size the RSA, because it is deprecated. And the FGT has problem with the ROOT.CA too.

i only hope that in the next FMG Version 7.6.x (upper 7.6.2) the command for avoid the certificate comeback. PLEASE!!!

Thanks for your help,

lukaseng

Visitor III

Hey,
Facing exactly same issues and spent too many hours troubleshooting this.
Have you found a solution to this?

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded