Technical Tip: FortiGate checksum changes and FortiManager Backup Mode device status becomes out-of-sync

ezhupa · ‎11-13-2024

Description

This article describes out-of-sync issues caused by a VPN certificate.local between a FortiGate and FortiManager in a Backup mode ADOM.

Scope

FortiGate, FortiManager.

Solution

Randomly FortiGate checksums change and this causes the FortiGate to get out of sync with the FortiManager.
This article takes into consideration that the ADOM where the device is managed is in 'Backup' mode.

After gathering the output of the below command when the FortiGate is in sync and when the FortiGate is out of sync, it is possible to compare the checksums and identify the object causing the sync issue.

get sys mgmt-csum all

When the checksums are compared, the change is in object 'vpn.certificate.local'.

< vpn.certificate.local: 9f5ee228df57e3aa411873856f55d0d0
---
> vpn.certificate.local: 6e313cfd61e5e10d1b3e8cfeb4aa431f

Now the local certificates present in the FortiGate would need to be checked.
The issue is caused by local certificates, in most cases ACME or self-signed certificates that have either expired or are presenting errors.

After renewing the certificates, or deleting/replacing them with valid certificates, the connection between FortiGate and FortiManager would need to be refreshed.
After that, the issue is resolved and the FortiGate will not show as 'out-of-sync' with the FortiManager anymore.

Technical Tip: FortiGate checksum changes and FortiManager Backup Mode device status becomes out-of-sync

You are leaving our website