FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ganeshcs
Staff
Staff
Description This article serves as a troubleshooting guideline when trying to connect FortiGate to SEPM for Dynamic Addresses.
Scope

On FortiGate version prior to 7.0.0, the SEPM can be using a self signed cert to connect with FortiGate.


On FortiGate version 7.0.5, FortiGate will perform a certificate validation and require the SEPM to be signed by a CA.

Solution

To configure Symantec endpoint connector on FortiGate in the CLI:

 

1) Create the fabric connector:


# config system sdn-connector
edit "sepm-217"
set type sepm
set server "SEPM_IP_x.x.x.x"
set username "admin"
set password *********
set status enable
next
end

 

2) Create the dynamic IP address:


# config firewall address
edit "sepm-ip"
set type dynamic
set sdn "sepm-217"
set filter "ComputerName=win10-1"
config list
edit "10.1.100.187"
next
edit "10.6.30.187"
next
edit "172.16.200.187"
next
end
next
end

 

3) Add the dynamic IP address to the firewall policy:


# config firewall policy
edit 1
set name "pol1"
set srcintf "port2"
set dstintf "port1"
set srcaddr "sepm-ip"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set logtraffic all
set fsso disable
set nat enable
next
end

 

Gathering data and troubleshooting SEPM connectivity.

 

Putty 1


# diag sniffer packet any "port 8446" 4

 

Putty 2


# config system sdn-connector
sh full
end
diagnose test application sepmd 1
diagnose test application sepmd 2
diag debug console timestamp enable
diagnose debug application sepmd -1
diag debug enable

 

Contributors