Description
This article describes how to connect FortiGate to FortiManager Cloud and troubleshoot connectivity issues.
Scope
FortiManager Cloud subscription:
the SKU column will contain FC<#>-10-MVCLD-227-01-12. For more information, visit the link below.
Enabling the FortiManager Cloud connector on FortiGate
FortiGate license:
To check if FortiGate has the correct contract and add the correct account, the below commands should be run.
diagnose test update info
A primary FortiCloud account is required for deployment. Only one FortiManager Cloud is possible under each FortiCloud account.
FortiManager Cloud and FortiGate need to be under the same FortiCloud account. FortiManager Cloud does not support ADOM, so make sure that the ADOM version on FortiManager Cloud supports the FortiGates firmware branch or change the ADOM version:
Solution
- Connect FortiGate to FortiManager Cloud: Go to Security Fabric –> Fabric Connectors, edit Central Management, enable the Status, select FortiManager Cloud, and apply the changes.
- Go to Fortimanager Cloud and Authorized.
- Go to Device Manager and Check Unauthorized Devices.
- Select it and Authorize it.
- Test the connectivity to see Connected.
-
On FortiGate:
- On FortiManager:
- Troubleshooting connectivity: After saving the setting, check the below command on the FortiGate CLI:
diagnose fdsm central-mgmt-status
Connection status: Up
Registration status: Registered
Serial: FMGVCLTMXXXXXXX
execute telnet fortimanager.forticloud.com 541
execute ping fortimanager.forticloud.com
Unknown host: fortimanagers.forticloud.com
Failed to get FortiManagers Cloud's status. Hostname resolution failed. (-21)
If there is no internet communication issue, check below sniffer outputs below.
- FortiGate and FortiManager Cloud should be reachable at TCP port 541 in both directions.
On the FortiGate CLI:
diag sniffer packet any 'host <FortiManager Cloud IP> and port 541' 6 0 l
On the FortiManagers CLI:
diag sniffer packet any 'port 541' 3 0 l
On FortiGate:
diag debug reset
diag debug application fgfm 255
diag debug console time enable
diag debug enable
On FortiManager:
diag debug reset
diag debug application fgfmsd 255 <deviceName>
diag debug time enable
diag debug enable
- The source IP of the FortiGate can also be configured to reach FortiManager:
config system central-management
set fmg-source-ip <FGT-IP>
end
- While adding FortiGate to FortiManager Cloud, FortiManager Cloud is using the default admin user. Therefore, the default admin user should not be deleted for security purposes.
- To force the FortiGate to send an authorization request via CLI, the below command can be used:
exe central-mgmt register-device <FMG Serial> <admin>
For more information:
Troubleshooting Tip: How to troubleshoot connectivity issues between FortiGate and FortiManager
The WAN-IP of FortiManager Cloud can be learned via the below document to check its reachability:
Identifying the public IP address
Related documents:
Enabling the FortiManager Cloud connector on FortiGate
FortiManager Cloud - Checking Requirements and Licenses
FortiManager Cloud Limitations
FortiManager Cloud - Identifying the Public IP Address
FortiManager Cloud Licensing of FortiGates running FortiOS Versions Prior 6.2
FortiManager Cloud Button is Unavailable (grayed out) in the FortiOS GUI
Troubleshooting Tip: How to troubleshoot connectivity to FortiManager Cloud
How to troubleshoot connectivity issues between FortiGate and FortiManager
