Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
vraev
Staff
Staff

Created on ‎01-12-2023 02:17 AM Edited on ‎08-12-2025 10:55 PM By Staff

Article Id 242730

Technical Tip: Setup custom certificate for FGFM protocol

Description

 

This article describes how to set up a custom certificate to use for the FortiManager connection between FortiManager and the managed FortiGates.

 

Scope

 

FortiManager from v6.2.3, FortiGate from v6.2.3.

 

Solution

 

  1. Importing the certificates: 

Upload the CA certificate under the FortiManager and the FortiGate CA certificate section:


Import the signed server certificates (and keys) as local certificates. How to import them depends on the used enrollment method and the specific versions of FortiManager and FortiGates:


Note: 

Starting in v7.6.2/v7.4.6/v7.2.10, the fgfm-peercert-withoutsn command is no longer supported, and FortiManager will always check the FortiGate's certificate for the FortiGate Serial Number.


Due to this change, the FortiGate needs to contain the unit Serial Number under the CN field. It is possible to load the entitlement file of the FortiGate to regenerate the certificate content.

 

Note:

From version 7.0.12/7.2.5/7.4.3, there is a Special Notices in the certificate CN or SAN.

 

Error example:

'The FortiManager's access to the FortiGate will be authenticated by the FortiManager certificate. The serial number from the certificate must match the serial number observed on the FortiManager. Could not connect to the FortiManager to retrieve its Serial Number.'

 
 

FMGR.JPG

 

Note:

The same error may also appear during attempts to connect a new FortiGate VM with FortiManager v7.4.7 and up. By default,  FortiManager denies FGFM connections from the VM platforms.  For more details, refer to the Release notes

 

 

  1. Configuration: 

When the settings below are changed and the end command is used, all FGFM tunnels between the FortiManager and all the FortiGates will go down.

 

Direct access to the managed FortiGate would be required to change its central management configuration accordingly. The FortiManager certificate settings are only available in the CLI.


FortiManager configuration:

 

config system global
    set fgfm-ca-cert "<CA_Certificate_Name>"  <- Defines which authority the FortiGate certificate must be signed by.
    set fgfm-local-cert "<Local-Server_Certificate_Name>" <- Defines the local certificate used on port TCP/541.
end

 

Note:

FortiManager v7.0.12, v7.2.5, and v7.4.3 also added the following options under 'config system global':

 

set fgfm-cert-exclusive  <- When set to 'enable', only FortiGate certificates signed by the CA as defined under 'fgfm-ca-cert' are accepted.

set fgfm-deny-unknown <- When set to 'enable', FortiManager ignores FGFM connection attempts from unauthorized devices.

 

Note: 

In some cases, changing the following settings is helpful in networks with high latency.

 

config system dm
    set discover-timeout 15
fgfm_keepalive_itvl 30
end

 

Note:

To keep the event logs regarding the FGFM connections, use the following settings:

 

config sys locallog syslogd filter
    set fgfm enable
end

 

These logs are visible under System Settings -> Events. It is highly recommended to export to an external log system or FortiAnalyzer.

For more information, follow the article below: Technical Tip: FortiManager/FortiAnalyzer local event logs setup for the external SYSLOG server

Example logs:

 

2024-10-14 10:29:55 tz="+0200" log_id=0002011002 type=event subtype=fgfm pri=information desc="fgfm connection up" msg="fgfm connection to device rhodium-fmgfaz-kvm139 is up" operation="update dev info" performed_on="dev=rhodium-fmgfaz-kvm139" changes="fgfm connection to device rhodium-fmgfaz-kvm139 is up" user="fgfm" device="rhodium-fmgfaz-kvm139"
2024-10-12 01:15:59 tz="+0200" log_id=0002011003 type=event subtype=fgfm pri=warning desc="fgfm connection down" msg="fgfm connection to device rhodium-fmgfaz-kvm139 is down" operation="cleanup fgfm session" performed_on="dev=rhodium-fmgfaz-kvm139" changes="fgfm connection to device rhodium-fmgfaz-kvm139 is down" user="fgfm" device="rhodium-fmgfaz-kvm139"
2024-10-11 17:02:10 tz="+0200" log_id=0002011005 type=event subtype=fgfm pri=alert desc="fgfm device register failed" msg="fgfm device register for device FGVxxxx failed by (don't allowed by settings)" operation="dev register" performed_on="dev=FGVxxxx" device="FGVxxxx"
2024-10-11 17:01:59 tz="+0200" log_id=0002011004 type=event subtype=fgfm pri=alert desc="fgfm offline mode status" msg="fgfm protocol start, offline mode is disable" operation="check offline mode" performed_on="sys admin setting" changes="fgfm protocol start, offline mode is disable" user="fgfm" offline_stat="disabled"

FortiGate configuration:

 

config system central-management
    set local-cert "<Local-Server_Certificate_Name>" <- Defines the local certificate to be used on port TCP/541.
    set ca-cert "<CA_Certificate_Name>" <- Defines which authority the FortiManager certificate must be signed by.
end

Example:

FortiManager side:

 

config system global
    set fgfm-ca-cert “RootCA” <- FGFM certificates signed by this CA are trusted.
    set fgfm-local-cert “cert_fmg” <- Use this local certificate as an FGFM certificate.

    set fgfm-cert-exclusive <- Only trust client certificates signed by fgfm-ca-cert “RootCA”.

end

 

FortiGate side:

 

config system central-management
    set local-cert "cert_fgt" <- Use this local certificate as an FGFM certificate.
    set ca-cert "RootCA" <- FGFM certificates signed by this CA are trusted.
end

 

 

  1. Troubleshooting:

The following CLI debug can be used to troubleshoot FortiManager tunnel issues. The output also shows certificate information during the TLS negotiation phase.

FortiManager:

 

diagnose fgfm ?
diagnose fgfm install-sessions  <- Installation session list.
diagnose fgfm object-list   <- Object list.
diagnose fgfm session-list  <- Session list.

 

diagnose debug application fgfmsd 255 {filter optional}
diagnose debug timestamp enable
diagnose debug enable

FortiGate:

 

diagnose debug application fgfmd -1
diagnose debug console timestamp enable
diagnose debug enable

An external PC, with 'openssl' installed, can be used to verify that the correct certificate chain is used by the units:

openssl s_client -showcerts -connect <address>:<port>
nmap --script ssl-enum-ciphers <address> -p <port>

 

Vito_1-1673517597991.png

 

Related documents:

CA certificates

CLI certificate commands

Incoming ports

Technical Note: Import CA certificates in FortiManager or FortiAnalyzer

Technical Note: Configure SSL certificate for the FortiManager / FortiAnalyzer admin GUI v5.4

Technical Tip: TLS and the use of Digital Certificates  

Troubleshooting Tip: How to troubleshoot connectivity issues between FortiGate and FortiManager
Technical Tip: How to setup a custom certificate regarding OFTP protocol

Technical Tip: Different application of local certificate for FortiManager/FortiAnalyzer

Labels:
25936
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.