|
Users configure a Fortimanager in FortiGate for the central management settings.
config system central-management
set type fortimanager
set serial-number "FMG-VMxxxxxxx"
set fmg "192.168.3.4"
set fmg-source-ip 1.1.1.1
end
After upgrading to version 7.4.7, at the beginning of the FortiManager IP, the parameter 'ffff' gets added.
config system central-management
set type fortimanager
set serial-number "FMG-VMxxxxxxx"
set fmg "::ffff:192.168.3.4"
set fmg-source-ip 1.1.1.1
end
This can cause FortiGate to change the source IP used for the communication. Run the following debugs to verify:
diagnose debug disable
diagnose debug reset
diagnose debug application fgfmd -1
diagnose debug console timestamp enable
diagnose debug enable
To stop debugging:
diagnose debug disable
In the debugs, it can be seen:
allow-push-firmware : enable
allow-remote-firmware-upgrade: enable
allow-monitor : enable
serial-number : "FMG-VMxxxxxxx"
fmg : "::ffff:192.168.3.4"
fmg-source-ip : 5.5.5.5 <- FortiGate uses an IP different from the one configured in the connector.
fmg-source-ip6 : ::
Workaround:
- Delete the 'ffff' in the FortiManager IP through FortiGate GUI in the section 'Security Fabric - Fabric connector - Central management'.
Note: When trying to modify the IP through the CLI, FortiGate shows an error regarding the FortiManager Serial Number.
- Restart the fgfmd process.
fnsysctl killall fgfmd
- Refresh the FortiGate connector on the FortiManager side.
Fix schedule:
Upgrade to versions 7.4.8 and 7.6.1.
|
