|
The serial number of FortiManager can be set in the central management in FortiGate in the following way in CLI.
config system central
set serial-number 'FMG-XYZ0MXXXXXXXX'
end
Sometimes, the FortiManager Serial number is missing even after setting it up in the central management of FortiGate without performing any changes in FortiGate.
get sys central-management
mode : normal
type : fortimanager
schedule-config-restore: enable
schedule-script-restore: enable
allow-push-configuration: enable
allow-push-firmware : enable
allow-remote-firmware-upgrade: enable
allow-monitor : enable
serial-number :
fmg : "10.x.x.x"
fmg-source-ip : 10.x.x.x
[...]
In these cases, it is first necessary to check the communication with the FortiManager from FortiGate, which can be done with a packet capture.
In the CLI:
diagnose sniffer packet any 'host 10.x.x.x and port 541' 4 0 l
interfaces=[any]
filters=[host 10.x.x.x]
2024-08-22 17:04:52.928772 WAN out 10.x.x.x.24854 -> 10.x.x.x.541: syn 2012551551
2024-08-22 17:05:40.198912 WAN out 10.x.x.x.1128 -> 10.x.x.x.541: syn 550339374
2024-08-22 17:05:41.198725 WAN out 10.x.x.x.1128 -> 10.x.x.x.541: syn 550339374
2024-08-22 17:05:43.198706 WAN out 10.x.x.x.1128 -> 10.x.x.x.541: syn 550339374
If it is found that FortiGate is only sending the SYN packet to the FortiManager but there is no ACK response back to it, this might be a problem with the communication between FortiGate and FortiManager which should be fixed to resolve the issue.
Try to establish a telnet connection to FortiManager IP on port 541 with the below command:
execute telnet 10.x.x.x 541
If the FortiManager connectivity is through an IPsec tunnel then specify the interface in FortiManager configuration.
config system central-management
set interface-select-method specify
set interface testvpn =====( testvpn is the name of vpn )
end
Related article:
Technical Tip: How to register a FortiGate to a FortiManager from CLI
|
