FGFM and trusted hosts

Forum|Forum|6 years ago
January 17, 2020
2 replies
4486 views

I am due to change the IP of my FortiManager and I need to know if this will require a change in our FortiGate trusted hosts configuration?

I expect that the tunnel may continue to work without updating trusted hosts but does this mean that only the FortiGate will be able to bring up the FGFM tunnel, or will FortiManager be able to bring up the tunnel also, even if it does not appear in the Fortigate's trusted hosts?

skyhigh

New Member

When FortiManager attempts to establish a new FGFM tunnel with the FortiGate, FortiGate will first check whether the FortiManager serial # is already known as trusted. If not, FortiManager will need to provide admin credentials. In that latter scenario, trust host restriction would come into play.

So although I don't believe trusted host restrictions would apply for the first scenario (where the serial # is known), tto be safe I would add the new FortiManager serial # to your trusted host list. This could be particularly important for FortiManager HA clusters.

brazz_FTNT

Staff

Hello,

Tell us more about the network topology, FGTs are NATed ? If you have the basic connectivity and the SN of FMG has been added on the FGT's "config system central-management" this should be fine.

Thanks

dsnelsonAuthor

New Member

Hi, We are an MSP so there are a few hundred FortiGates with a wide variety of different connectivity scenarios. I believe our FortiManager add's it's own serial number when it connected so they should all be able to authenticate, the question is just whether or not the trusthosts will permit the FGFM tunnel to connect in the first place. So far my tests on version 6.0 have successfully connected without a trusthosts entry but I don't know if this will also apply to older firmware versions.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded