|
When a FortiGate registers to FortiManager for the first time, or when the fgfmd daemon subsequently connects to FortiManager on TCP/541 (when configured as central management), the primary node of the HA cluster initiates the connection using an encrypted TLS connection.
This connection is authenticated using the built-in 'Fortinet_Factory' certificate stored on the FortiGate. Custom certificates can also be used to authenticate the connection. In the FortiGate HA cluster setup with two or more nodes, the certificate is replicated from the primary node to the secondary nodes.
The certificate's Subject has the 'Common Name (CN)' and 'Subject Alternative Name (SAN)' fields. Starting with the FortiManager versions 7.0.12/7.2.5/7.4.3, to establish the connection between the FortiGate and FortiManager, the certificate must include the FortiGate's serial number either in the CN or SAN field. More details can be found in the Special Notices.
The issue with the FortiGate serial number inside the certificate's subject can be represented by the following cases:
- CN/SAN has a 'fortinet', 'Fortinet', 'FortiGate', or other similar values instead of the actual serial number of the Primary Member.
- CN/SAN has a serial number of the Secondary Member instead of the Primary Member.
Examples of the issue:
FortiManager CLI:
diagnose debug application fgfmsd 255
FGFMs(probing...): __get_handler:1060: sn doesn't match
FGFMs(probing...): __get_handler:1088: serial number (FG############) in 'get' message doesn't match the subject CN (FortiGate) in peer's certificate.
diagnose debug application fgfmsd 255
FGFMs: Remote issuer is /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com.
FGFMs: issuer matching...try next if not match... localissuer(fortinet-subca2001), remoteissuer(support)
FGFMs: need change local cert to ISSUER[support]
FortiGate CLI:
diagnose debug application fgfmd -1
FGFMs: Load certificate /etc/cert/factory/root_Fortinet_Factory.cer OK
FGFMs: unable to get certificate, exit
How to check the serial number values:
Check the serial number of the FortiGate:
FortiGate 'root' VDOM CLI:
get system status | grep -i serial
Serial-Number: FG101FTK1xxxxx29
Compare it to the value of the CN/SAN in the certificate used for the FGFM communication ('Fortinet_Factory' is the default):
FortiGate 'root' VDOM CLI:
config vpn certificate local
get Fortinet_Factory | grep CN
Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG101FTK2xxxxx76, emailAddress = support@fortinet.com
Before the FortiManager versions 7.2.10/7.4.6/7.6.1:
There is a possibility to disable the SN verification on the FortiManager. However, it is recommended to keep it enabled.
If the 'fgfm-peercert-withoutsn' is enabled, FortiManager does not verify the serial number in the subject's CN/SAN.
config system global
set fgfm-peercert-withoutsn enable
end
Starting with the FortiManager versions 7.2.10/7.4.6/7.6.1:
The CLI option above was removed. There are two options for how to proceed.
FortiGate VM:
Check the serial number with one of the commands below:
FortiGate 'root' VDOM CLI:
get system status | grep -i serial
diagnose debug vm-print-license | grep -i serial
Apply the correct serial number with the following command. The command will reboot the FortiGate.
FortiGate 'root' VDOM CLI:
execute vm-license FGVMXXXXXXXX <-- Replace with the SN from the above commands.
This operation will reboot the system!
Do you want to continue? (y/n)y
If it is a hardware FortiGate, apply the following command:
FortiGate 'root' VDOM CLI:
execute vpn certificate local generate default-ssl-key-certs
get vpn certificate local details
- Check if the CN fields are changing or not, and if not, then open a ticket to the FortiGate team.
Note:
Starting with FortiManager versions 7.4.7 (Special Notices 7.4.7) and 7.6.3 (Special Notices 7.6.3), connections from VM-based devices to FortiManager are restricted by default for security reasons. As part of this change, FortiManager no longer permits VM platform connections over FGFM unless explicitly allowed. To allow VM platform connection in FGFM, enter the following command in the FortiManager CLI:
config system global
set fgfm-allow-vm enable
end
Related documents:
|
