FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sfrati
Staff
Staff
Article Id 318425
Description

This article describes how to solve the connectivity loss issue to managed clusters right after a FortiManager upgrade to version v7.0.12 or v7.2.5. It can happen while trying to reach a FortiGate cluster from a FortiManager just upgraded to v7.0.12 or v7.2.5 when the Secondary cluster in the node is currently activated on behalf of the Primary.

 

If switching over from Secondary to Primary or vice-versa results in connecting or disconnecting the FortiManager and the cluster, it is probably due to this new feature introduced in v7.0.12 or v7.2.5.

Scope

Using FortiManager v7.0.12 or v7.2.5 and above.

Solution

When FortiGate registers to FortiManager for the first time or when the fgfmd daemon later connects to FortiManager on TCP/541 when configured as a central-management, the primary node of the cluster establishing the connection with the FortiManager uses an encrypted TLS connection.

 

A new authentication feature used by the fgfm protocol is introduced in v7.0.12 or v7.2.5 and some origins are also described in the related articles below.

 

Now that a certificate CN is checked against the serial number of the connected device (when FortiGate connects to FortiManager or when FortiManager connects to FortiGate), it is mandatory to check the SN included in the presented certificate.

 

If the secondary node in the cluster is currently handling the connection, its SN may not match the one presented in the Fortinet_Factory certificate. and it can be possible to see this in the fgfm debug (diag debug application fgfm 255):

 

FGFMs: __session_cb,125: fgfm_fqdn_connect fail..

 

Or:

 

"code": -35007, "message": "Fgfm protocol error"

 

Enable fgfm-peercert-withoutsn in the config system global.

 

config system global
    set fgfm-peercert-withoutsn enable
end

 

With this option enabled, FortiManager will not proceed to the additional checking if the Serial Number of the requesting device and the one displayed in the certificate exactly match.

 

Related articles:

Technical Tip: How to register a new cluster when FortiManager 7.2.5 complains about subject CN or S...

FortiManager 7.2.5 GA new feature that may break the connectivity between FortiGate and FortiManager

FortiGate to FortiManager: FGFM Protocol flow