|
In some FortiGate VMs, the Common Name (CN) in the Fortinet_Factory certificate may display as ‘FortiGate’ instead of the device serial number.
This can lead to connectivity issues between the FortiGate and FortiManager, EMS, or other Security Fabric devices due to certificate validation failures.
While FortiManager currently allows bypassing serial number verification during certificate validation, this option will be removed in FortiManager versions 7.4.6 and 7.6.2. After this update, FortiManager will enforce serial number verification in the FortiGate certificate.
To avoid this issue, always download the license from the Fortinet Support Portal for the corresponding VM and manually upload the license file via the GUI. Further details can be found in the following articles:
However, before importing the VM license, it is important to ensure the FortiGate has internet connectivity. For FortiGate VMs with multiple VDOMs, it needs to be verified that the management VDOM has direct internet access and the connectivity should not route through other VDOMs, as this can cause license validation failures.
Example Scenario:
In this setup, the Root VDOM (default management VDOM) relies on the Internet VDOM for internet access. When the VM license is imported, the FortiGate must connect to the FortiGuard server for license validation after a reboot.
However, before validation, the FortiGate has limited functionality and can only handle local-in/local-out traffic. Traffic passing through the FortiGate (e.g. from the Root VDOM to the Internet VDOM) cannot be forwarded. This results in the license validation remaining in a 'Pending' state indefinitely, preventing the FortiGate from processing production traffic.
In severe cases, if management access relies on firewall policies in the Internet VDOM, this access may also be lost. Console access or direct interface access may be the only remaining options.
To solve this problem, there could be two options:
The first option is to configure the 'Internet VDOM' as the management VDOM temporarily to restore the connectivity to the FortiGuard server. See Technical Tip: Purpose of Management VDOM in the case of license/contract information for instructions.
The second option is to configure the FortiGuard setting to use the ‘Internet VDOM’ without changing the management VDOM. This is only available after FortiOS 7.2.3. See Technical Tip: How to use non management VDOM for Fortiguard services and updates for instructions.
Note: Both options will require adjusting the source IP and interface under the FortiGuard setting to ensure connectivity from the 'Internet VDOM' is successful. See Technical Tip: How to control/change the FortiGate source IP for self-generated traffic for instructions.
|
