Description
This article describes how to add devices when FortiManager is configured with 'fgfm-deny-unknown enable'.
When this CLI setting is configured:
config system global
set fgfm-deny-unknown enable
end
FortiManager rejects all management requests from devices with serial numbers which are not already in its Device Manager Database.
In this case, if the FGFM connection is initiated by a new FortiGate, it will not appear as an Unauthorized Device in FortiManager.
If this new FortiGate is behind NAT, then FortiManager also cannot use FGFM discovery to connect to the FortiGate.
When a FortiGate is configured to contact a FortiManager with this setting enabled, the FortiManager will show event logs containing this message:
msg="Deny request from an unregistred device [fgt_serial] ([connecting_IP])"
Scope
FortiManager / FortiManager Cloud.
Solution
In the above scenario, the only way to add a new FortiGate is to first create it in the Device Manager Database. Here are a few possible ways to do that.
Option 1. Device Manager (Normal mode ADOM) -> Add Device -> Add Model Device.
Important Note:
After creating a model device in a Normal mode ADOM, FortiManager automatically assigns a default configuration to it. If this default configuration is not modified, FortiManager will push it as is to the newly connected FortiGate, effectively deleting its running configuration.
This can be avoided by following the instructions below.
- In FortiManager versions 7.4 and up, disable 'auto-link' when creating the model device, by turning off the option 'Automatically Link to Real Device'.
- In FortiManager v7.2.8 +, the option 'Automatically Link to Real Device' is not available in the Add Device screen, but it can be still disabled after that by editing the already added model device.
- In all other FortiManager versions:
- Backup the running FortiGate configuration from the FortiGate GUI.
- In FortiManager, go to the Device Manager, select the new Model Device, and navigate to its Dashboard.
- Find the 'Configuration and Installation' widget and open the Revision History.
- In the Revision History window, select More -> Import Revision.
- When selecting the FortiGate config file to import.
- When done, the revision count will remain 0 and the imported revision will not be visible in the revision history table.
To confirm that the config was imported and reloaded in the 'device database' of the modem device, go again to the 'Configuration and Installation' widget, and open the 'Device Configuration DB'.
- The next screen contains a FortiOS CLI format where some key parts of the imported config can be verified, to confirm that the intended config file was correctly imported. For example hostname, interface IPs, etc..
Option 2. Use temporary Backup Mode ADOM (not applicable for FortiManager Cloud):
- Create a new Backup ADOM.
- Then enter this Backup ADOM and navigate to Device Manager -> Add Device -> Add Model Device to create the model device.
- When the real FortiGate connects and matches the model device, FortiManager will trigger auto-link task but only retrieve the device config, without starting an installation.
- When the task is complete, move the device to a normal mode ADOM to manage it.
Option 3. Create a new 'real' (non-model) device directly into the FortiManager Device Manager Database using JSON API. Refer to How to add a real FortiGate device to FortiManager using an API query. This option allows multiple devices to be added with automation tools and is more convenient when a large number of new FortiGates need to be added.
