Technical Tip: Blocking connection to FortiManager / Bypass FortiManager acting as FDS

_mribwan · ‎05-19-2024

Description	This article describes that in some instances, FortiManager has issues providing correct license info from FDS. This article describes the easiest way to block FortiGate from connecting to FortiManager for FDS updates and connect directly to FDS without changing the FortiManager config.
Scope	FortiGate, FortiManager.
Solution	To check the license status of managed FortiGate on FortiManager, run the following on FortiManager: diag fmupdate dbcontract FGTXXX (Replace FGTXXX with the managed FortiGate Serial Number). Ensure include-default-servers is set to enable under config system central-management (it is enabled by default). This is to allow FortiGate to connect to FDS if the connection to FortiManager fails. Create a blackhole route to the FortiManager IP as such : config router static edit 1 set dst 10.4.5.245 255.255.255.255 set blackhole enable set vrf 0 next end Do note the usage of /32 as it is only desired to block the route to FortiManager. To verify, check the FortiGate connection status on FortiManager, or run dia de app update -1 on FortiGate, it should connect to FDS now. Once the FortiManager issue is fixed, simply remove the static route created to re-instate the connection to FortiManager.