Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
pdhillon
Staff
Staff

Created on ‎06-13-2025 05:54 AM Edited on ‎12-12-2025 01:52 AM By Community Manager

Article Id 396147

Troubleshooting Tip: Common issues while adding FortiGate to FortiManager, and their solutions

Description This article describes the various errors that may be encountered while adding a new FortiGate to FortiManager, and the possible solutions.
Scope FortiGate, FortiManager.
Solution

When onboarding FortiGate to FortiManager, it is usually a seamless process, but issues may occur for various reasons. In this article, the most common issues seen are discussed along with their solutions.

 

To start troubleshooting the issue, review the event logs on the FortiManager, as well as run fgfmsd debugs, which gives a direction to look to find the root cause of the issue. Follow the instructions in Technical Tip: How to troubleshoot connectivity issues between FortiGate and FortiManager to run fgfmsd debugs on the FortiManager.

 

Scenario 1: When trying to add a FortiGate to FortiManager, an error message 'unregistered device ignored' may occur in the FortiManager Fgfmsd debugs. This error occurs if 'fgfm-deny-unknown' is enabled on the FortiManager. To resolve this, either follow the special instructions to add FortiGate to FortiManager as described in the following KB article or disable this setting:

 

config system global
    set fgfm-deny-unknown enable
end

 

Instructions to add FortiGate to FortiManager with fgfm-deny-unknown enable: Technical Tip: How to add FortiGate with its current config to FortiManager when 'set fgfm-deny-unkn....

 

Debug snippet:

 

": "<unknown>", "version": 700}, "from": 1}, "url": "dvm\/cmd\/manage\/device"}], "session": -1}
FGFMs(FG101F1111111111-302-2.2.2.27): server:
get connect_tcp
localid=10744
chan_window_sz=32768
deflate=gzip
tcp_port=80

bind /var/tmp/fgfm/.fos.FG101F1111111111.rpc-FMG-0000000000-VLW1Gc OK.
Response [unknown]:{ "id": 9501, "result": [{ "status": { "code": -20012, "message": "Unregistered device ignored"}, <-----
"url-"dvm\/cmd\/manage\/device"}]}
FGFMs(probing...): Cleanup session 0x556647524780, 1.1.1.1.
FGFMs(probing...): Destroy session 0x556647524780, 1.1.1.1.
FGFMs(FG101F1111111111-302-2.2.2.27): fgfm_tcp_chan.c,__chan_write,278:error.
FGFMs(FG101F1111111111-302-2.2.2.27): Destroy tcp channnel local_id=16568, remote_id=10744, sock_rd=492, sock_wr=634, sock_size=0, c

 

Scenario 2: In this scenario, FortiManager is showing an 'unknown CA' error in the debugs. This error could be seen on the FortiManager while adding a new FortiGate to FortiManager, and, for example, an intermediate CA is missing on the FortiManager. Ensure that all necessary CA certificates are present on the FortiManager to resolve this issue.

 

Debugs:


2025-06-03 13:44:48 FGFMs: issuer matching...try next if not match... local_issuer(Test Server CA 019), remote_CA_subject(Local Root CA )
2025-06-03 13:44:48 FGFMs: Remote CA subject is /C=GB/O=Test hlc/CN=LOcal Root CA .
2025-06-03 13:44:48 FGFMs: issuer matching...try next if not match... local_issuer(fortinet-subca2001), remote_CA_subject(LOcal Root CA )
2025-06-03 13:44:48 FGFMs: Remote CA subject is /C=GB/O=Test hlc/CN=LOcal Root CA .
2025-06-03 13:44:48 FGFMs: issuer matching...try next if not match... local_issuer(support), remote_CA_subject(LOcal Root CA )
2025-06-03 13:44:48 FGFMs: No more valid certificates
2025-06-03 13:44:48 FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS write certificate
2025-06-03 13:44:48 FGFMs: ssl_proto.c,642: TLSv1.3 TLSv1.3 write server certificate verify
2025-06-03 13:44:48 FGFMs: ssl_proto.c,642: TLSv1.3 SSLv3/TLS write finished
2025-06-03 13:44:48 FGFMs: ssl_proto.c,642: TLSv1.3 TLSv1.3 early data
2025-06-03 13:44:48 FGFMs: ssl_proto.c,744: TLSv1.3 read fatal alert: unknown CA
2025-06-03 13:44:48 FGFMs: ssl_proto.c,759: TLSv1.3 error
2025-06-03 13:44:48 FGFMs: ssl_proto.c,__get_error,1519, error=1, errno=0,Success, ssl=no valid cert.
2025-06-03 13:44:48 FGFMs(probing...): Connection was interrupted. sockevents[-1] sslerr[-6]
2025-06-03 13:44:48 FGFMs(probing...): Cleanup session 0x55ae63ac2280, 1.1.1.1.
2025-06-03 13:44:48 FGFMs(probing...): Destroy session 0x55ae63ac2280, 1.1.1.1.
2025-06-03 13:45:02 __start_tunnel_by_devlist,336: devid=265, admin=admin.


Scenario 3: When adding a new FortiGate to FortiManager, an error may be encountered stating 'serial number (fgvmultm12345678) in 'get' message doesn't match the subject CN (test.lab.com) in peer's certificate' on FortiManager version 7.4.6 with custom certificates. This error occurs because the serial number is missing in the FortiGate certificate's SAN.

 

In FortiManager v7.4.6, the 'fgfm-peercert-withoutsn' setting has been removed, so the verification cannot be disabled. Ensure that the FortiGate certificate contains the serial number in either the CN or SAN. Note that FortiManager expects the serial number in the CN of the FortiGate certificate on FortiManager v7.4.6. This behavior is fixed in FortiManager v7.4.7, where a certificate can be created with the serial number in the SAN, and it should work.

 

To validate that on FortiGate, go to System -> Certificates, review the subject of the Certificate 'Fortinet_Factory', and ensure that the CN is showing the serial number of the FortiGate 

 

If the CN is showing as "FortiGate" instead, then run the below command in FortiGate CLI :

 

execute vm-license

 

If it is a hardware FortiGate, apply the following command:

 

FortiGate (root)# execute vpn certificate local generate default-ssl-key-certs

 

  • Check the output of:

 

FortiGate (root)# get vpn certificate local details

 

  • Check if the CN fields are changing or not, and if not, then open a ticket to the FortiGate team.

 

Note:

If FortiManager is configured to use fgfm-peercert-withoutsn on v 7.4.5 (or older) and an upgrade is made to  v7.4.6, FortiManager will encounter the same error in the debugs after the upgrade, because fgfm-peercert-withoutsn is removed and not available on v7.4.6: Release Notes: 7.4.6 Special Notices.

Debugs:


2025-06-03 14:20:42 FGFMs(probing...): SAN: <DNS:Test.lab.com>
2025-06-03 14:20:42 FGFMs(probing...): __get_handler:1060: sn doesn't matche
2025-06-03 14:20:42 FGFMs(probing...): __get_handler:1088: serial number (FGVMULTM12345678 in 'get' message doesn't match the subject CN (test.lab.com) in peer's certificate.

 

Scenario 4: Sometimes, when adding a device, there might be an issue with the configuration present on the device, which can prevent the addition of a device to FortiManager. 

 

To check and confirm if there is an issue with the configuration, the following commands can be run on FortiManager. 


diagnose dvm device list <----- The OID of the device being added to FortiManager.
diagnose test deploymanager reloadconf <OID> <----- The OID of the device from the above output.

 

This command will load the configuration and comment where it finds the invalid data source. This configuration needs to be corrected before attempting to add the device again. 
2479
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.