FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.



This article describes how the 'FGFM' protocol is used for communication between FortiGate and FortiManager devices.

The FGFM protocol runs over SSL (Secure Sockets Layer) using TCP port 541 under IPv4.



Check the SSL compatibility.

On FortiManager.


# config sys global
    set fgfm-ssl-protocol
    sslv3                           <----- Set SSLv3 as the lowest version.
    tlsv1.0                         <----- Set TLSv1.0 as the lowest version.
    tlsv1.1                         <----- Set TLSv1.1 as the lowest version.
    tlsv1.2                         <----- Set TLSv1.2 as the lowest version (default).

On FortiGate.


set enc-algorithm
default                                                      <----- High strength algorithms and these medium-strength 128-bit key length algorithms: RC4-SHA, RC4-MD5, RC4-MD.
high                                                           <----- 128-bit and larger key length algorithms: DHE-RSA-AES256-SHA, AES256-SHA, EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA, DES-CBC3-MD5, DHE-RSA-AES128-SHA, AES128-SHA.
low                                                            <----- 64-bit or 56-bit key length algorithms without export restrictions: EDH-RSA-DES-CDBC-SHA, DES-CBC-SHA, DES-CBC-MD5.



The 'FGFM' protocol implements a secure communication protocol with the following functions:

FortiGate reachability status (from FortiManager).
FortiManager reachability status (from FortiGate).
Configuration installation and retrieval.
Script push.
JSON monitoring via RTM.


The following communications between FortiGate and FortiManager units are handled outside of the 'FGFM' protocol and are managed by the FortiGuard protocol:

FortiGuard package downloads (AV, IPS, Virus Scan, etc.)
FortiGuard query (WF, AS).
Firmware Downloads.

The 'FGFM' protocol runs over SSL (Secure Sockets Layer) using TCP port 541 under IPv4. FortiManager 6.2 supports the use of IPv6.

Both FortiGate and FortiManager units have a 'FGFM' daemon running exclusively for FortiGate to FortiManager communication.
The FortiManager unit listens on TCP port 541 for an incoming session request. The FortiGate unit establishes an SSL session with the FortiManager.
Both units use TCP port 541 for sending and receiving messages.

The 'FGFM' daemon handles all FortiGate to FortiManager (and vice versa) authentication, keep-alive messages and actions resulting from them (such as instructing another daemon on a FortiGate device to update its configuration or various database files).


The 'diagnose fdsm central-mgmt-status' command provides connectivity and registration status of the ForitGate with the FortiManager.


# diagnose fgfm session-list


Telnet to the FortiManager IP on port 541 to ensure reachability.


# execute telnet <FMG-IP> 541


Ensure proper MTU size end to end from FGT to FMG


# exe ping-options df-bit yes


# exe ping-options data-size <1390>


# exe ping-options source <fgt ip used in fmg-source-ip in central mgmt>


# exe ping <fmg IP>


Also source IP of the FortiGate can be configured, to use the respective IP of the FortiGate, which is reachable with the FortiManager, which can be useful in cases like VPN access.


# config system central-management
    set fmg-source-ip <FGT-IP>


Debug on FortiGate.


# diag debug reset
# diag debug application fgfm 255
# diag debug console time enable
# diag debug en


Debug on FortiManager.


# diag debug reset
# diag debug application fgfm 255 <IP or Serial Number of the FGT>
# diag debug time enable
# diag debug en


To generate the output in the debugs, re-initiate the connection from the FortiGate (or) from the FortiManager:

1) Re-initiate the connection from the FortiGate CLI by restarting the 'FGFM' daemon.


fnsysctl killall fgfmd


2) Claim the tunnel from FortiManager CLI using the below syntax.


# exe fgfm reclaim-dev-tunnel <device_name>
    devicename                                <- Optional device name.


Use '# diagnose dvm device list' to get the device ID.

Capture the output of the debug command.

Sample FortiGate output to check the registration status.


# diagnose fdsm central-mgmt-status
Connection status: Up
Registration status: Registered


Sniffer Packets:


If it is possible to ping FortiGate from FortiManager and if FortiGate is not communicating with FortiManager, then it is possible to capture the packets from the below commands.


Run sniffer on FortiGate using Putty with SSH connection and all session output logging:


# diag sniff pack any "port 541 and x.x.x.x" 4 <- Where x.x.x.x is the FortiManager IP address.


At the same time, run sniffer on FortiManager with following syntax:


# diag sniff pack any "port 541 and y.y.y.y" 4 <----- Where y.y.y.y is the FortiGate IP address.


Related article:

Technical Tip: How to verify FortiGate to FortiManager (FGFM) protocol TLS version

Technical Tip: How to create a log file of a session using PuTTY