Description
This article describes how to add devices when FortiManager is configured with 'fgfm-deny-unknown enable'.
When this CLI setting is configured:
config system global
set fgfm-deny-unknown enable
end
FortiManager rejects all management requests from devices with serial numbers which are not already in its Device Manager Database.
In this case, if the FGFM connection is initiated by a new FortiGate, it will not appear as an Unauthorized Device in FortiManager.
If this new FortiGate is behind NAT, then FortiManager also cannot use FGFM discovery to connect to the FortiGate.
When a FortiGate is configured to contact a FortiManager with this setting enabled, the FortiManager will show event logs containing this message:
msg="Deny request from an unregistred device [fgt_serial] ([connecting_IP])"
Scope
FortiManager / FortiManager Cloud.
Solution
In the above scenario, the only way to add a new FortiGate is to first create it in the Device Manager Database. Here are a few possible ways to do that.
Option 1. Device Manager (Normal mode ADOM) -> Add Device -> Add Model Device.
Important Note:
After creating a model device in a Normal mode ADOM, FortiManager automatically assigns a default configuration to it. If this default configuration is not modified, FortiManager will push it as is to the newly connected FortiGate, effectively deleting its running configuration.
This can be avoided by following the instructions below.
Option 2. Use temporary Backup Mode ADOM (not applicable for FortiManager Cloud):
Option 3. Create a new 'real' (non-model) device directly into the FortiManager Device Manager Database using JSON API. Refer to How to add a real FortiGate device to FortiManager using an API query. This option allows multiple devices to be added with automation tools and is more convenient when a large number of new FortiGates need to be added.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.