Description
This article describes how to set up a custom certificate to use for the FortiManager connection between FortiManager and the managed FortiGates.
Scope
FortiManager from v6.2.3, FortiGate from v6.2.3.
Solution
- Importing the certificates:
Upload the CA certificate under the FortiManager and the FortiGate CA certificate section:
How to import a CA certificate in FortiManager is explained here: Technical Note: Import CA certificates in FortiManager or FortiAnalyzer.
How to import CA certificate in FortiGate is explained here: Docs: FortiOS – CA Certificate.
Import the signed server certificates (and keys) as local certificates. How to import them depends on the used enrollment method and the specific versions of: FortiManager and FortiGates:
FortiManager documentation: Local certificates.
FortiGate documentation: Procuring and importing a signed SSL certificate.
Note: Starting in 7.6.2/7.4.6, the fgfm-peercert-withoutsn command is no longer supported, and FortiManager will always check the FortiGate's certificate for the FortiGate Serial Number.
Note: From version 7.0.12/7.2.5/7.4.3, there is a requirement to include the SN in the certificate CN or SAN.
Error example:
'The FortiManager's access to the FortiGate will be authenticated by the FortiManager certificate. The serial number from the certificate must match the serial number observed on the FortiManager. Could not connect to the FortiManager to retrieve its Serial Number.'
Under FortiManager, the following setting can be used to temporarily overcome this requirement. However, it is recommended to keep
the verification enabled:
config system global
set fgfm-peercert-withoutsn enable
end
- Configuration.
Note: When the settings below are changed and the end command is used, the FortiManager tunnels between the FortiManager and all FortiGates will go down.
Direct access to the managed FortiGates would be required to change their central management configuration accordingly.
The FortiManager certificate settings are only available in the CLI.
FortiManager configuration:
config system global
set fgfm-ca-cert "<CA_Certificate_Name>" <- Defines which authority the FortiGate certificate must be signed by.
set fgfm-local-cert "<Local-Server_Certificate_Name>" <- Defines which local certificate use on port TCP/541.
end
Note: FortiManager versions 7.0.12, 7.2.5, 7.4.3 added also the following options under 'config system global':
set fgfm-cert-exclusive <- When set to 'enable', only FortiGate certificates signed by the CA as defined under 'fgfm-ca-cert' are accepted.
set fgfm-deny-unknown <- When set to 'enable', FortiManager ignores FGFM connection attempts from unauthorized devices.
Note: In some cases changing of the following settings is helpful in networks with big latency.
config system dm
set discover-timeout 15
fgfm_keepalive_itvl 30
end
Note: To keep the event logs regarding the FGFM connections use the following settings:
config sys locallog syslogd filter
set fgfm enable
end
These logs are visible under System Settings > Events. It is highly recommended to be exported to an external log system or FortiAnalyzer.
For more information follow the article below:
Technical Tip: FortiManager/FortiAnalyzer local event logs setup for the external SYSLOG server
Example logs:
2024-10-14 10:29:55 tz="+0200" log_id=0002011002 type=event subtype=fgfm pri=information desc="fgfm connection up" msg="fgfm connection to device rhodium-fmgfaz-kvm139 is up" operation="update dev info" performed_on="dev=rhodium-fmgfaz-kvm139" changes="fgfm connection to device rhodium-fmgfaz-kvm139 is up" user="fgfm" device="rhodium-fmgfaz-kvm139"
2024-10-12 01:15:59 tz="+0200" log_id=0002011003 type=event subtype=fgfm pri=warning desc="fgfm connection down" msg="fgfm connection to device rhodium-fmgfaz-kvm139 is down" operation="cleanup fgfm session" performed_on="dev=rhodium-fmgfaz-kvm139" changes="fgfm connection to device rhodium-fmgfaz-kvm139 is down" user="fgfm" device="rhodium-fmgfaz-kvm139"
2024-10-11 17:02:10 tz="+0200" log_id=0002011005 type=event subtype=fgfm pri=alert desc="fgfm device register failed" msg="fgfm device register for device FGVxxxx failed by (don't allowed by settings)" operation="dev register" performed_on="dev=FGVxxxx" device="FGVxxxx"
2024-10-11 17:01:59 tz="+0200" log_id=0002011004 type=event subtype=fgfm pri=alert desc="fgfm offline mode status" msg="fgfm protocol start, offline mode is disable" operation="check offline mode" performed_on="sys admin setting" changes="fgfm protocol start, offline mode is disable" user="fgfm" offline_stat="disabled"
FortiGate configuration:
config system central management
set local-cert "<Local-Server_Certificate_Name>" <- Defines which local certificate is to be used on port TCP/541.
set ca-cert "<CA_Certificate_Name>" <- Defines which authority the FortiManager certificate must be signed by.
end
Example:
FortiManager side:
config system global
set fgfm-ca-cert “RootCA” <- FGFM certificates signed by this CA are trusted.
set fgfm-local-cert “cert_fmg” <- Use this local certificate as an FGFM certificate.
set fgfm-cert-exclusive <- Only trust client certificates signed by fgfm-ca-cert “RootCA”.
end
FortiGate side:
config system central-management
set local-cert "cert_fgt" <- Use this local certificate as FGFM certificate.
set ca-cert "RootCA" <- FGFM certificates signed by this CA are trusted.
end
- Troubleshooting:
The following CLI debug can be used to troubleshoot FortiManager tunnel issues. The output also shows certificate information during the TLS negotiation phase.
FortiManager:
diag fgfm ?
diag fgfm install-sessions <<< Installation session list.
diag fgfm object-list <<< Object list.
diag fgfm session-list <<< Session list.
diag debug application fgfmsd 255 {filter optional}
diag debug timestamp enable
diag debug enable
FortiGate:
diag debug application fgfmd -1
diag debug console timestamp enable
diag debug enable
An external PC, with 'openssl' installed, can be used to verify that the correct certificate chain is used by the units:
openssl s_client -showcerts -connect <address>:<port>
nmap --script ssl-enum-ciphers <address> -p <port>
Related documents:
- CA certificates
- CLI certificate commands
- Incoming ports
- Technical Note: Import CA certificates in FortiManager or FortiAnalyzer
- Technical Note: Configure SSL certificate for the FortiManager / FortiAnalyzer admin GUI v5.4
- Technical Tip: TLS and the use of Digital Certificates
- Troubleshooting Tip: How to troubleshoot connectivity issues between FortiGate and FortiManager
Technical Tip: How to setup a custom certificate regarding OFTP protocol - Technical Tip: Different application of local certificate for FortiManager/FortiAnalyzer
