|
When FortiGate registers to FortiManager for the first time or when the fgfmd daemon later connects to FortiManager on TCP/541 when configured as a central-management, the primary node of the cluster establishing the connection with the FortiManager uses an encrypted TLS connection.
A new authentication feature used by the fgfm protocol is introduced in v7.0.12 or v7.2.5 and some origins are also described in the related articles below.
Now that a certificate CN is checked against the serial number of the connected device (when FortiGate connects to FortiManager or when FortiManager connects to FortiGate), it is mandatory to check the Serial Number included in the presented certificate.
If the secondary node in the cluster is currently handling the connection, its Serial Number may not match the one presented in the Fortinet_Factory certificate and the connectivity between FortiGate and FortiManager will not come up.
It is possible to see this in the FGFM debug output ('diag debug application fgfm 255').
This is fixed in FortiOS v7.0.16/v7.2.9/v7.4.5/v7.6.0.
FGFMs: __session_cb,125: fgfm_fqdn_connect fail..
Or:
"code": -35007, "message": "Fgfm protocol error"
Enable fgfm-peercert-withoutsn in the config system global of FortiManager.
config system global
set fgfm-peercert-withoutsn enable <- Removed in v7.2.10/v7.4.6/v7.6.1 onward.
end
With this option enabled, FortiManager will not proceed to the additional checking if the Serial Number of the requesting device and the one displayed in the certificate exactly match.
Or:
The issue relates to the FortiGate local certificate name Fortinet_Factory Subject Common Name (CN) using 'fortigate'.
Ensure the Fortinet_Factory Subject Common Name (CN) uses the FortiGate Serial Number rather than 'fortigate'.
To fix the issue, run 'exec vm-license <FGT SN>' from FortiGate to have the FortiGate Serial Number information.
Note: exec vm-license <FGT SN> requires reboot of FortiGate.
Related documents:
|
