Explorer

Question

FortiGate VM cannot retrieve FortiManager serial number – FMG 7.6.6

Forum|Forum|1 month ago
May 12, 2026
6 replies
226 views

Hello everyone,

I am currently experiencing an issue integrating a FortiGate VM with a FortiManager VM (version 7.6.6).

When trying to authorize the FortiManager from the FortiGate GUI, I receive the following error:

"Could not connect to the FortiManager to retrieve its serial number"

I already followed the official Fortinet KB below without success:

https://community.fortinet.com/fortigate-3/technical-tip-error-on-gui-could-not-connect-to-the-fortimanager-to-retrieve-its-serial-number-205398

Additionally, the following command is not available/supported on my FortiManager:

set fgfm-peercert-withoutsn enable

Connectivity between both VMs is working correctly, and basic FGFM communication appears reachable.

Has anyone experienced this issue on FortiManager 7.6.6 or found an alternative workaround to complete the integration successfully?

Any guidance would be greatly appreciated.

Thank you.

FortiTowel

New Member

Hello Willy007,

From your post, it looks like you are trying to add the new device via FortiManager.

If you only have a few FortiGates, you could try it this way:

FortiGate GUI path:
Security Fabric → Fabric Connectors → Central Management

Configure Central Management there (on-prem or cloud, depending on what type of FortiManager you are using).

After that, the FortiGate should try to register itself to the FortiManager.

On the FortiManager, you should then see the device listed as an unauthorized device.
That should be the FortiGate you configured before — simply authorize/accept it and continue from there.

Greets

FortiTowel

W

willy007Author

Explorer

Sir I made thoose steps but the same error

Regards

FortiTowel

New Member

Hello Willy007

Refer your Fortinet KB: Notes**

If custom certificates are used, ensure the FortiManager serial number is present in the certificate CN field.
Verify the certificate CN field to avoid certificate mismatch issues.

Greets

FortiTowel

Talank

Staff

The command “set fgfm-peercert-withoutsn enable” was removed starting with FMG versions 7.2.10/7.4.6/7.6.1

W

willy007Author

Explorer

yes sir buth waht another option I had to register?

farhanahmed

Staff

Try this command on FMG:

config system global

set fgfm-allow-vm en

end

And see if that works.

W

willy007Author

Explorer

Hi sir, I already did but the same problem, this is the real message error “addr:{192.168.200.200:11692->192.168.200.210:541},{type=ssl:client=0,verify=1. {type=ssl self_cn:FMG-VMTM26005988}{type=ssl cn:FortiGate}}}__get_handler:1039: peer_sn=FortiGate, msg_sn=FGVMEV7XZJPKOQA2, session_cn=FortiGate
__get_handler:1082: serial number (FGVMEV7XZJPKOQA2) in 'get' message doesn't match the subject CN (FortiGate) in peer's certificate.”

sjoshi

Staff

is this a trail version?

can you check

Thanks, Salon

msanjaypadma

Staff

Hi @willy007 ,

Can you share the output of following commands from FortiGate :

# get sys status
# get system ha status
# get system status | grep -i serial
# config vpn certificate local
# get Fortinet_Factory | grep CN
# end
# get system central-management
# diagnose fdsm central-mgmt-status

Thanks,
Mayur Padma

Thanks, Mayur Padma

W

willy007Author

Explorer

Hi sir my vm is evaluation, this are the commands:

https://ydray.com/get/t/u1779248930673ABXad07d57007241fH

regards

msanjaypadma

Staff

HI @willy007 ,

From previous output able to see that CN field showing “FortiGate”, You need to update the certificate CN to serialnumber.

“addr:{192.168.200.200:11692->192.168.200.210:541},{type=ssl:client=0,verify=1. {type=ssl self_cn:FMG-VMTM26005988}{type=ssl cn:FortiGate}}}__get_handler:1039: peer_sn=FortiGate, msg_sn=FGVMEV7XZJPKOQA2, session_cn=FortiGate
__get_handler:1082: serial number (FGVMEV7XZJPKOQA2) in 'get' message doesn't match the subject CN (FortiGate) in peer's certificate.”

How for confirmation you can run the “get Fortinet_Factory | grep CN” command under “config vpn certificate local”

# config vpn certificate local
# get Fortinet_Factory | grep CN
# end

FG_LAB # execute vm-license FGVMEV7XZJPKOQA2
This operation will reboot the system !
Do you want to continue? (y/n)y

Failed to download VM license <--------

If this is failing can you take updated debug.

# diagnose debug disable
# diagnose debug reset
# diagnose debug application update -1
# diagnose debug console timestamp enable
# diagnose debug enable

then run the command 
# execute vm-license FGVMEV7XZJPKOQA2

Thanks,
Mayur Padma

Thanks, Mayur Padma

J

Jeki

New Member

HiI have the same problem.FortiGate cannot be integrated with FortiManager.“The FortiManager's access to the FortiGate will be authenticated by the FortiManager certificate. The serial number from the certificate must match the serial number observed on the FortiManager. Could not connect to the FortiManager to retrieve its serial number.”

FortiGate VM and FortiManager VM are using evaluation licenses.
fgfm-allow-vm: enable
SSL-low-encryption is set to enable
Existing vpn certificate local

FGT # config vpn certificate local

FGT (local) # get Fortinet_Factory | grep CN
Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FortiGate, emailAddress = support@fortinet.com
Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com

Any suggestions?

Thanks

msanjaypadma

Staff

Hi @willy007 , @Jeki

This is my findings !

I also attempted to use the EVAL license; however, it did not function as expected. This is because the FortiGate-presented certificate lacks the CN field containing the FortiGate-serial-number. Additionally, the EVAL license does not support FortiGuard/FortiCare, which results in the update function failing and generating a "file download error." To the best of my understanding, the certificate remains unchanged for EVAL licenses.

Furthermore, the referenced article indicates that the EVAL license employs lower encryption levels expect for GUI and FortiManager communication, but it is still restricted by the serial number in fortimanager.

Reference:
https://docs.fortinet.com/document/fortigate/7.6.6/administration-guide/441460

As per article “The command 'fgfm-peercert-withoutsn' has been removed from FortiManager v7.2.10/v7.4.6/v7.6.2. As a result, it is now a hard requirement for the FortiGate to present the local serial number inside the CN= field of the certificate it is presenting to the FortiManager.”

Checked with regular license version, as it appears to be functioning correctly for me.

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.

Thanks,
Mayur Padma

Thanks, Mayur Padma

msanjaypadma

Staff

Refer this thread for different solution :

Create Certificate
or
Downgrade to FortiManager 7.6.1

config sys global

set fgfm-peercert-withoutsn enable (Option was after 7.6.1 deleted)

Thanks, Mayur Padma

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded