| Description |
This article explains how to work around the error message 'Could not connect to the FortiManager to retrieve its serial number' when trying to register a FortiGate to a FortiManager 7.2.5. |
| Scope |
The fgfmd protocol introduces in 7.2.5 a new by-default verification of the CN or SAN (see Special Notices in Release Notes) to enforce additional security levels and avoid MITM issues when a new device tries to establish a new connection or registration.
By default, this verification is enabled, and FortiManager checks if the subject CN or SAN of the FortiGate. Also, FortiGate checks the Serial Number in the certificate presented by the FortiManger, as this is dual-side authentication.
When configuring in the CLI on the FortiGate the FortiManager for central management, it is possible to set the serial number of the FortiManager expected to be presented in the certificate.
show sys central-management
If a typo is made on the serial number or a change is made from having one FortiManager to another one for central management, this error message will appear. |
| Solution |
On the FortiGate: using the CLI, it is possible to edit or unset the serial number expected for the FortiManager.
config system central-management
Refreshing the GUI, a pop-up window should warn the administrator and ask for confirmation. Select Accept after checking the serial number on the FortiManager.
On the FortiManager: It is possible to disable this new feature and return to the previous v7.2.4 behavior using this CLI command, as well as to allow registration from any node of the cluster:
config system global set fgfm-peercert-withoutsn enable <----- This command has been disabled on v7.4.6 and onwards. end
Note: From v7.4.6/7.6.2 the above command is not supported and the above command needs to be disabled. With this option enabled, FortiManager will not proceed to perform additional checks if the Serial Number of the requesting device and the one displayed in the certificate exactly match.
Related documents: |
