Created on 11-30-2022 06:18 AM Edited on 11-30-2022 07:12 AM By Anthony_E
Description |
This article describes that FortiManager is not receiving authorization requests from a FortiGate that is able to reach it via an IPsec tunnel
OR
FortiGate – FortiManager connectivity is broken after doing a firmware upgrade of FortiGate via FortiManager
The possible cause is that FortiGate is selecting the wrong route to reach the FortiManager. |
Scope |
FortiGate and FortiManager 5.X, 6.X and 7.X. |
Solution |
- When configuring FortiGate to be added to FortiManager, first check which route it takes to reach the FortiManagervia the FortiGate CLI command:
# get router info routing-table details <fmg-ip>
- From the output of this command, it will show the name of the VPN tunnel the FortiGate uses to reach the FortiManager. - It would also help to use the interface IP of the local network subnet in the VPN configuration, for example, if in the VPN tunnel config it is allowed to have the subnet under port1 of the FortiGate to be allowed in the VPN tunnel interesting traffic, then use the port1 interface IP as the 'fmg-source-ip' so that the FortiGate use that as a source IP to reach the FortiManager (as long as the FortiManager could of course, communicate to this IP over the VPN tunnel). - Then continue and configure the system central management:
# config system central-management set interface-select-method specify set interface <VPN-Tunnel-Interface-Name> set fmg-source-ip <interface-ip-local-subnet-interesting-traffic> <----- Optional. end
OR
- FortiGate was upgraded from FortiManager. - Then FortiGate lost connection with FortiManager after it did the reboot get router info routing-table details <fmg-ip>. - If it shows many routes, set the best route using the following commands on FortiGate CLI:
# config system central-management set interface-select-method specify set interface <interface_name> end
Options for interface-select-method are:
FortiGate(central-management) # set interface-select-method auto <----- Set outgoing interface automatically. sdwan <----- Set outgoing interface by SD-WAN or policy routing rules. specify <----- Set outgoing interface manually.
Use the interface returned from the get router info routing-table output as the interface name in the set interface command
- Once this is done, FortiManager should be able to see FortiGate as online.
Related Article: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.