Description
This article describes how to connect FortiGate to FortiManager Cloud and troubleshoot connectivity issues.
Scope
FortiManager Cloud subscription:
The SKU column will contain FC<#>-10-MVCLD-227-01-12. For more information, visit the document below: Enabling the FortiManager Cloud connector on FortiGate.
FortiGate license:
To check if the FortiGate has a valid contract and if the account matches the same FortiCloud account with FortiManager,
run the CLI command:
diagnose test update info
A primary FortiCloud account is required for deployment. Only one FortiManager Cloud instance is supported for each FortiCloud account.
FortiManager Cloud and FortiGate need to be under the same FortiCloud account. FortiManager Cloud does not support multiple ADOMs, so make sure the ADOM version on FortiManager Cloud matches the FortiGate major firmware branch (7.4, 7.6 etc) or upgrade/downgrade the ADOM version:
Solution
- Connect FortiGate to FortiManager Cloud: Go to Security Fabric -> Fabric Connectors, edit Central Management, enable the Status, select FortiManager Cloud, and apply the changes.
- Go to FortiManager Cloud and Authorized.
- Go to Device Manager and Check Unauthorized Devices.
- Select it and authorize it.
- The FortiGate serial number becomes the basis for authentication.
- Test the connectivity to see Connected.
-
On FortiGate:
- On FortiManager:
- Troubleshooting connectivity: After saving the setting, check the following command on the FortiGate CLI:
diagnose fdsm central-mgmt-status
Connection status: Up
Registration status: Registered
Serial: FMGVCLTMXXXXXXX
execute telnet fortimanager.forticloud.com 541
execute ping fortimanager.forticloud.com
Unknown host: fortimanagers.forticloud.com
Failed to get FortiManagers Cloud's status. Hostname resolution failed. (-21)
If there is no internet communication issue, check below sniffer outputs below.
- FortiGate and FortiManager Cloud should be reachable at TCP port 541 in both directions.
On the FortiGate CLI:
diagnose sniffer packet any 'host <FortiManager Cloud IP> and port 541' 6 0 l
On the FortiManagers CLI:
diagnose sniffer packet any 'port 541' 3 0 l
On FortiGate:
diagnose debug reset
diagnose debug application fgfmd 255
diagnose debug cli 8
diagnose debug console time enable
diagnose debug enable
To disable debugs:
diagnose debug disable
On FortiManager:
diagnose debug reset
diagnose debug application fgfmsd 255 <deviceName>
diagnose debug time enable
diagnose debug enable
To disable debugs:
diagnose debug disable
- The source IP of the FortiGate can also be configured to reach FortiManager:
config system central-management
set fmg-source-ip <FGT-IP>
end
- While adding FortiGate to FortiManager Cloud, FortiManager Cloud is using the default admin user. Therefore, the default admin user should not be deleted for security purposes.
- To force the FortiGate to send an authorization request via CLI, the following command can be used:
execute central-mgmt register-device <FMG Serial> <admin>
Important note:
There is no 'Discover device' mode while adding a new FortiGate device to FortiManager-Cloud.
Related article:
Troubleshooting Tip: How to troubleshoot connectivity issues between FortiGate and FortiManager.
The WAN-IP of FortiManager Cloud can be learned by consulting the following document to check its reachability:
Identifying the public IP address - FortiManager Cloud documentation.
Related documents:
Enabling the FortiManager Cloud connector on FortiGate
Technical Tip: The FortiGate license is needed for firmware upgrade
FortiManager Cloud - Checking Requirements and Licenses
FortiManager Cloud Limitations
FortiManager Cloud - Identifying the Public IP Address
FortiManager Cloud Licensing of FortiGates running FortiOS Versions Prior 6.2
FortiManager Cloud Button is Unavailable (grayed out) in the FortiOS GUI
Troubleshooting Tip: How to troubleshoot connectivity to FortiManager Cloud
How to troubleshoot connectivity issues between FortiGate and FortiManager
Limitations of FortiManager Cloud | FortiManager Cloud 7.6.2 | Fortinet Document Library
Technical Tip: Allow Full Access for Fortinet Backend Support in FortiManager-Cloud
