Custom certificate CN or SAN verification was implemented in FortiManager v7.0.12, v7.2.5, v7.4.3 and v7.6.0.

This custom certificate is used when a FortiGate device connects to a FortiManager. The FortiGate and FortiManager administrators may configure the use of a custom certificate with the following CLI commands:

FortiGate CLI:

config system central-management

    set local-cert [Certificate name]

    set ca-cert [CA certificate name]

end

FortiManager CLI:

config system global

    set fgfm-ca-cert [certificate name] <- FortiGate-FortiManager CA certificates.

    set fgfm-local-cert [certificate name] <- FortiGate-FortiManager local certificate.

end

FortiManager (v7.0.12, v7.2.5, v7.4.3, or v7.6.0 and above) will expect a FortiGate serial number in either the CN or SAN of the certificate. The FGFM tunnel connection may fail if a serial number is not present.

The debug output will look like the following:

2024-03-19 14:18:50 FGFMs(FGTXXXXXXXXX)-172.20.120.36): __get_handler: serial number (FGTXXXXXXXXX) in 'get' message doesn't match the subject CN (FGTXXXXXXXXX) or SAN in peer's certificate, exit.
2024-03-19 14:18:50 FGFMs(FGTXXXXXXXXX)-172.20.120.36): Cleanup session 0x192f4b0, 172.20.120.36.
2024-03-19 14:18:50 FGFMs(FGTXXXXXXXXX)-172.20.120.36): Destroy session 0x192f4b0, 172.20.120.36.  

As a workaround, enable this verification by using the following command on FortiManager:

config system global

  set fgfm-peercert-withoutsn enable <- Disabled by default. --> Not available in v7.2.10, 7.4.6 & 7.6.2 onwards.

end

After assigning the certification from FortiManager and FortiGate, run fnsysctl killall fgfm from FortiGate to rebuild a new FGFM tunnel between both devices.

Or on the FortiGate CLI:

Run the below command to confirm the device serial number:

#dia deb vm-print-license

SerialNumber: FGVMXXXXXXXX <----- Check this serial number

CreateDate: Thu Nov 2 16:16:23 2024

Key: yes

Cert: yes

Key2: yes

Cert2: yes

Model: 04 (9)

CPU: 4

MEM: 2147483647

VDOM license:

permanent: 10

subscription: 0

 
Once the serial number is confirmed, run the following command:

exec vm-license FGVMXXXXXXXX <----- Replace this with the serial number retrieved from above command.

This operation will reboot the system !

Do you want to continue? (y/n)y

Note: Running the above command will reboot and will re-apply the license.

Note:

In some cases, this affects the FortiAnalyzer and FortiManager connection causing the probe to fail. Enabling this feature will allow them to connect.

Related documents:

Technical Tip: Setup custom certificate for FGFM protocol
Troubleshooting Tip: How to troubleshoot connectivity issues between FortiGate and FortiManager

Technical Tip: How to register a new cluster when FortiManager 7.2.5 complains about subject CN or S...

Special Notices