Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
tpreethamsingh
Staff
Staff

Created on ‎08-28-2024 08:00 AM Edited on ‎03-12-2025 11:42 PM By Staff & Editor

Article Id 337101

Troubleshooting Tip: Troubleshooting a FortiGate-FortiManager (FGFM) tunnel issue with CA or SAN verification of a custom certificate

Description

The article describes how to troubleshoot connectivity issues between FortiGate and FortiManager concerning CA or SAN verification of the custom certificate.
Scope

FortiManager v7.0.12, v7.2.5, v7.4.3, v7.6.0 and above, FortiGate.
Solution

Custom certificate CN or SAN verification was implemented in FortiManager v7.0.12, v7.2.5, v7.4.3 and v7.6.0.

This custom certificate is used when a FortiGate device connects to a FortiManager. The FortiGate and FortiManager administrators may configure the use of a custom certificate with the following CLI commands:

 

FortiGate CLI:

 

config system central-management

    set local-cert [Certificate name]

    set ca-cert [CA certificate name]

end

 

FortiManager CLI:

 

config system global

    set fgfm-ca-cert [certificate name] <- FortiGate-FortiManager CA certificates.

    set fgfm-local-cert [certificate name] <- FortiGate-FortiManager local certificate.

end

 

FortiManager (v7.0.12, v7.2.5, v7.4.3, or v7.6.0 and above) will expect a FortiGate serial number in either the CN or SAN of the certificate. The FGFM tunnel connection may fail if a serial number is not present.

 

The debug output will look like the following:


2024-03-19 14:18:50 FGFMs(FGTXXXXXXXXX)-172.20.120.36): __get_handler: serial number (FGTXXXXXXXXX) in 'get' message doesn't match the subject CN (FGTXXXXXXXXX) or SAN in peer's certificate, exit.
2024-03-19 14:18:50 FGFMs(FGTXXXXXXXXX)-172.20.120.36): Cleanup session 0x192f4b0, 172.20.120.36.
2024-03-19 14:18:50 FGFMs(FGTXXXXXXXXX)-172.20.120.36): Destroy session 0x192f4b0, 172.20.120.36.  

 

As a workaround, enable this verification by using the following command on FortiManager:

 

config system global

  set fgfm-peercert-withoutsn enable <- Disabled by default. --> Not available in v7.2.10, 7.4.6 & 7.6.2 onwards.

end

 

After assigning the certification from FortiManager and FortiGate, run fnsysctl killall fgfm from FortiGate to rebuild a new FGFM tunnel between both devices.

 

Or on the FortiGate CLI:

 

Run the below command to confirm the device serial number:

#dia deb vm-print-license

SerialNumber: FGVMXXXXXXXX <----- Check this serial number

CreateDate: Thu Nov 2 16:16:23 2024

Key: yes

Cert: yes

Key2: yes

Cert2: yes

Model: 04 (9)

CPU: 4

MEM: 2147483647

VDOM license:

permanent: 10

subscription: 0

 
Once the serial number is confirmed, run the following command:

exec vm-license FGVMXXXXXXXX <----- Replace this with the serial number retrieved from above command.

This operation will reboot the system !

Do you want to continue? (y/n)y


Note: Running the above command will reboot and will re-apply the license.

 

 

Note:

In some cases, this affects the FortiAnalyzer and FortiManager connection causing the probe to fail. Enabling this feature will allow them to connect.

 

Related documents:

Technical Tip: Setup custom certificate for FGFM protocol
Troubleshooting Tip: How to troubleshoot connectivity issues between FortiGate and FortiManager

Technical Tip: How to register a new cluster when FortiManager 7.2.5 complains about subject CN or S...

Special Notices
2623
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.