Hi @Great_Dane ,

First of all, let's use FMG as the abbreviation for FortiManager.

Could you please run the following commands on FMG for a try?

config system global

    set fgfm-peercert-withoutsn enable 

end

@AEK - I tried this, no luck :) It is actually saying "hey, don't use any TLS version below this configured", but if both units support and can negotiate higher version of TLS, they will do it. In this case, both devices will just negotiate TLS v1.3, and won't use anything below TLS v1.2, in case peer does not support it.

@dingjerry_FTNT - yes, you are absolutely right. I thought FG and FMG is clear, but yes: FG = Fortigate, FMG = FortiManager. Regarding your suggestion..., this command has been removed since FortiOS v7.4.6, and I am running v7.6.2, but... I have been trying with v7.4.5, and with the command suggested, just to rule out any possible misconfiguration with certificates, because I know how things may get picky when it comes down to PKI.

So, once again, both devices are running FortiOS v7.6.2. I have also provisioned another Fortigate in Azure with the PAYG license, just to make sure I am not crazy and not doing anything wrong here. Fortigate Azure successfully authenticates to FortiManager with custom certificate, and vice-versa.

This is what the current configuration on the FMG looks like:

config system global
    set fgfm-ca-cert Root_CA_LAB
    set fgfm-cert-exclusive enable
    set usg enable
end

 I have also tried with the "least restrictive" options, such as:

set ssl-low-encryption enable
set fgfm-deny-unknown disable
set fgfm-ssl-protocol sslv3

Nothing worked!

It is paramount to notice that TLS handshake is not failing (you can see that from the Fortigate and FortiManager logs). It is authentication that is failing, and that is because Fortigate is not sending any certificate to the FortiManager. Just like it is "programmed" to act like that with this type of EVAL license.

It is very frustrating and time consuming when guys from Fortinet decide to change something and don't document it. I bet this is something that just ain't working anymore, but they don't mention this in any documentation, whatsoever.

Another interesting thing to note is the default certificates that comes with the Fortigate VM eval and the licensed ones. Within the System > Certificates the non-eval FG contains a local certificate named "Fortinet_Factory" issued by the fortinet-subca2001 with the CN equal to the SN (something that is pre-req for the FortiOS version >= 7.4.6). The FG eval comes with the same certificate but the main difference is the issuer, which is "support", and the CN equals to "Fortigate".

If we look at the debug output on the FortiManager, we can see that the certificate being requested has to be issued from "fortinet" or "fortinet-ca2".

This can be seen here:

2025-02-11 13:27:23 __info_callback,993: role=svr,state=0, TLSv1.3 before SSL initialization
2025-02-11 13:27:23 __info_callback,993: role=svr,state=0, TLSv1.3 before SSL initialization
2025-02-11 13:27:23 Got client SNI information : sni=fortinet-ca2.fortinet.com
2025-02-11 13:27:23 __info_callback,993: role=svr,state=20, TLSv1.3 SSLv3/TLS read client hello
2025-02-11 13:27:23 __info_callback,993: role=svr,state=22, TLSv1.3 SSLv3/TLS write server hello
2025-02-11 13:27:23 __info_callback,993: role=svr,state=35, TLSv1.3 SSLv3/TLS write change cipher spec
2025-02-11 13:27:23 __info_callback,993: role=svr,state=46, TLSv1.3 TLSv1.3 early data
2025-02-11 13:27:23 __info_callback,993: role=svr,state=46, TLSv1.3 TLSv1.3 early data
2025-02-11 13:27:23 Got client SNI information : sni=fortinet-ca2.fortinet.com
2025-02-11 13:27:23 __info_callback,993: role=svr,state=20, TLSv1.3 SSLv3/TLS read client hello
2025-02-11 13:27:23 __info_callback,993: role=svr,state=22, TLSv1.3 SSLv3/TLS write server hello
2025-02-11 13:27:23 __info_callback,993: role=svr,state=37, TLSv1.3 TLSv1.3 write encrypted extensions
2025-02-11 13:27:23       CA issuer to broadcast: support
2025-02-11 13:27:23       CA issuer to broadcast: fortinet-ca2
2025-02-11 13:27:23       CA issuer to broadcast: fortinet-ca2
2025-02-11 13:27:23 Svr broadcast 3 CA subject names to peer
2025-02-11 13:27:23 __info_callback,993: role=svr,state=25, TLSv1.3 SSLv3/TLS write certificate request
2025-02-11 13:27:23 Remote CA subject is /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=fortinet-subca2001/emailAddress=support@fortinet.com.
2025-02-11 13:27:23 issuer matching...try next if not match... local_issuer(fortinet-subca2001), remote_CA_subject(fortinet-subca2001)
2025-02-11 13:27:23 CA issuer matched, local=remote=fortinet-subca2001
2025-02-11 13:27:23 Find cert idx=0, peer_ca = 1
2025-02-11 13:27:23 __use_cert,617: start idx = 0

Since the Fortigate VM has the Fortinet_Factory certificate signed by the Fortinet, but the CN or SAN does not equal the FG's SN, this cannot work. So, I would say this is a bug or something that comes by design with the evaluation version. Anyhow, not really funny.

By looking at the:

Permanent trial mode for FortiGate-VM | FortiGate / FortiOS 7.6.2 | Fortinet Document Library

It can bee seen that low encryption operation should not apply to the GUI and FGFM, which implies you should be able to add it to the FortiManager :)

I would really like to hear if someone have had any luck with this setup.

The Fortigate Trial has other problems (like pushing configs that end with FAIL) but adding it to Fortimanager is possible.  For me the solution was to ssh into Fortimanager and then execute:

config sys global
set fgfm-peercert-withoutsn enable
end

After this I was able to test it both ways...from FortiGate Trial by adding the IP of FortiManager, and from FortiManager by adding the IP of the FortiGate Trial.  Just make sure you added FMG-Access to the interface on the FortiGate.