Description
This article describes a behavior that may seem unwanted and may trigger some alerts if the configuration is backed up on a local server.
Scope
FortiGate v7.0.16, v7.2.9,v 7.4.4, 7.6.0 (and newer), FortiProxy v7.0:0195, v7.2:0433.
Solution
According to the Release notes, the default value of the FMG-Access is being changed to 'disabled' during the upgrade process on all interfaces.
This follows CVE-2024-23113 and hardens the security of the FortiGate by disabling unused remote access for FGFM (FortiGate to FortiManager protocol: What is FGFM ).
How this applies, and what is noticed:
For example, during the upgrade, the config will be changed for all interfaces where fgfm is enabled :
set allowaccess ping https fgfm
To
set allowaccess ping https
Notably, this happens only if central-management is not used. If central-management is set to FortiManager, this change will not happen.
This may be noticed when daily config diffs are run on a local server, but it is a normal behavior.
Fortigate # config system central-management
Fortigate (central-management) # show
config system central-management
set type fortimanager (other available options: fortiguard / none)
set fmg "10.11.12.13"
end
Note:
If fgfm is enabled, disable it as a workaround for the CVE-2024-23113 vulnerability.
To ensure fgfm is disabled on all interfaces, use the following:
- CLI: Run 'show system interface | grep -f fgfm' to check for any interfaces with fgfm enabled.
- GUI: Go to Network- > Interfaces and ensure FMG-Access is not selected under Administrative Access for any interface.
To disable fgfm (FortiGate to FortiManager access) on an interface, use the following command:
config system interface
edit <interface_name>
set allowaccess ping https ssh http snmp telnet fgfm fabric ftm <----- Remove fgfm and save the config.
next
end
This applies only if the FortiGate is managed by FortiManager and the firmware version is v7.4.2 or older, v7.2.6 or older, v7.0.13 or older.
