| Description |
This article explains how to work around the error message 'Could not connect to the FortiManager to retrieve its serial number' when trying to register a FortiGate to a FortiManager 7.2.5. |
| Scope |
fgfmd protocol introduces in 7.2.5 a new by-default verification of the CN or SAN (see Special Notices in Release Notes) to enforce additional security level and avoid MITM issues when a new devices tries to establish a new connection or registration.
By default, this verification is enabled and FortiManager checks if subject CN or SAN of the FortiGate. Also, FortiGate checks the Serial Number in the certificate presented by the FortiManger, as this is dual side authentication.
When configuring in the CLI on the FortiGate the FortiManager for central management, it is possible to set the serial number of the FortiManager expected to be presented in the certificate.
show sys central-management
If a typo is made on the serial number or a change was made from having one FortiManager to another one for central management, this error message will appear. |
| Solution |
On the FortiGate: using the CLI, it is possible to edit or to unset the serial number expected for the FortiManager.
config system central-management
Refreshing the GUI, a pop-up window should warn the administrator and ask for confirmation. Select Accept after checking the serial number on the FortiManager.
On the FortiManager: It is possible to disable this new feature and return to previous 7.2.4 behavior using this CLI command, as well as to allow registration from any node of the cluster:
config system global set fgfm-peercert-withoutsn enable end
With this option enabled, FortiManager will not proceed to perform additional checks if the Serial Number of the requesting device and the one displayed in the certificate exactly match.
Related articles: |
