Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
sfrati
Staff
Staff

Created on ‎05-21-2024 01:25 AM Edited on ‎11-24-2025 02:02 AM By Community Manager

Article Id 316226

Troubleshooting Tip: Registering FortiGate HA Cluster in FortiManager: Serial Number Mismatch Inside FortiGate's Certificate CN/SAN

Description

This article describes how to solve the issue when a FortiGate HA Cluster can't be registered in a FortiManager because of the problem with the Serial Number (SN) mismatch inside the FortiGate's certificate used for the FGFM connection.
Scope
When a FortiGate registers to FortiManager for the first time, or when the fgfmd daemon subsequently connects to FortiManager on TCP/541 (when configured as central management), the primary node of the HA cluster initiates the connection using an encrypted TLS connection.
 
This connection is authenticated using the built-in 'Fortinet_Factory' certificate stored on the FortiGate. Custom certificates can also be used to authenticate the connection. In the FortiGate HA cluster setup with two or more nodes, the certificate is replicated from the primary node to the secondary nodes.
 
The certificate's Subject has the 'Common Name (CN)' and 'Subject Alternative Name (SAN)' fields. Starting with the FortiManager versions 7.0.12/7.2.5/7.4.3, to establish the connection between the FortiGate and FortiManager, the certificate must include the FortiGate's serial number either in the CN or SAN field. More details can be found in the Special Notices.
 
The issue with the FortiGate serial number inside the certificate's subject can be represented by the following cases:
  • CN/SAN has a 'fortinet', 'Fortinet', 'FortiGate', or other similar values instead of the actual serial number of the Primary Member.
  • CN/SAN has a serial number of the Secondary Member instead of the Primary Member.
 
Note: The Secondary Member in the FortiGate HA cluster should have the Primary Member's serial number inside its certificate's CN/SAN field. This is an expected behavior after the Secondary Member is added to the cluster. More details are here in the Technical Tip: How local certificates are handled in a FortiGate HA cluster article.
 
Examples of the issue:
 
FortiManager# diagnose debug application fgfmd 255
FGFMs(probing...): __get_handler:1060: sn doesn't match
FGFMs(probing...): __get_handler:1088: serial number (FG############) in 'get' message doesn't match the subject CN (FortiGate) in peer's certificate.
 
FortiManager# diagnose debug application fgfmd 255
FGFMs: Remote issuer is /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com.
FGFMs: issuer matching...try next if not match... localissuer(fortinet-subca2001), remoteissuer(support)
FGFMs: need change local cert to ISSUER[support]
 
FortiGate# diagnose debug application fgfmd -1
FGFMs: Load certificate /etc/cert/factory/root_Fortinet_Factory.cer OK
FGFMs: unable to get certificate, exit
 
How to check the serial number values:
Check the serial number of the FortiGate:
 
FortiGate (root)# get system status | grep -i serial
Serial-Number: FG101FTK1xxxxx29
 
Compare it to the value of the CN/SAN in the certificate used for the FGFM communication ('Fortinet_Factory' is the default):
 
FortiGate (root)  # config vpn certificate local
FortiGate (local) # get Fortinet_Factory | grep CN
Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG101FTK2xxxxx76, emailAddress = support@fortinet.com
Solution

Before the FortiManager versions 7.2.10/7.4.6/7.6.1:

 

There is a possibility to disable the SN verification on the FortiManager. However, it is recommended to keep it enabled.
If the 'fgfm-peercert-withoutsn' is enabled, FortiManager does not verify the serial number in the subject's CN/SAN.

 

config system global

    set fgfm-peercert-withoutsn enable

end

 

Starting with the FortiManager versions 7.2.10/7.4.6/7.6.1:

The CLI option above was removed. There are two options for how to proceed.

 

FortiGate VM:
Check the serial number with one of the commands below:


FortiGate (root)# get system status | grep -i serial
FortiGate (root)# diagnose debug vm-print-license | grep -i serial

 

Apply the correct serial number with the following command. The command will reboot the FortiGate.


FortiGate (root)# execute vm-license FGVMXXXXXXXX <-- Replace with the SN from the above commands.
This operation will reboot the system!
Do you want to continue? (y/n)y

 

If it is a hardware FortiGate, apply the following Command.

 

FortiGate (root)# execute vpn certificate local generate default-ssl-key-certs

 

  • Check the output of:

 

FortiGate (root)# get vpn certificate local details

 

  • Check if the CN fields are changing or not, and if not, then open a ticket to the FortiGate team.

 

Note:

Starting with FortiManager version 7.4.7, connections from VM-based devices to FortiManager are restricted by default for security reasons. As part of this change, FortiManager no longer permits VM platform connections over FGFM unless explicitly allowed. To allow VM platform connection in FGFM, enter the following command in the Forti Manager CLI:

 

config system global

    set fgfm-allow-vm enable

end

 

Related documents:
11645
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.