Technical Tip : Troubleshooting FortiGate Connection with SEPM

On FortiGate version prior to 7.0.0, the SEPM can be using a self signed cert to connect with FortiGate.

On FortiGate version 7.0.5, FortiGate will perform a certificate validation and require the SEPM to be signed by a CA.

To configure Symantec endpoint connector on FortiGate in the CLI:

1) Create the fabric connector:

# config system sdn-connector
edit "sepm-217"
set type sepm
set server "SEPM_IP_x.x.x.x"
set username "admin"
set password *********
set status enable
next
end

2) Create the dynamic IP address:

# config firewall address
edit "sepm-ip"
set type dynamic
set sdn "sepm-217"
set filter "ComputerName=win10-1"
config list
edit "10.1.100.187"
next
edit "10.6.30.187"
next
edit "172.16.200.187"
next
end
next
end

3) Add the dynamic IP address to the firewall policy:

# config firewall policy
edit 1
set name "pol1"
set srcintf "port2"
set dstintf "port1"
set srcaddr "sepm-ip"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set logtraffic all
set fsso disable
set nat enable
next
end

Gathering data and troubleshooting SEPM connectivity.

Putty 1

# diag sniffer packet any "port 8446" 4

Putty 2

# config system sdn-connector
sh full
end
diagnose test application sepmd 1
diagnose test application sepmd 2
diag debug console timestamp enable
diagnose debug application sepmd -1
diag debug enable