Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Great_Dane
New Contributor II

Created on ‎02-11-2025 07:03 AM Edited on ‎02-11-2025 10:16 AM

Adding Fortigate VM eval to FortiManager VM eval

Hi everyone,

 

I am trying to add a Fortigate VM eval, generated via the FortiCloud account to the FortiManager VM eval, also generated via the FortiCloud account. So, both units are "self-generated" evals. I am not talking about evals obtained through the local supplier. It is not working!!!

 

From the debug output on FGM, it seems like the FG is not sending any certificate to the FGM while trying to setup communication via FGFM.

 

This is a debug output from the FGM:

2025-02-11 06:44:29 Use cert idx=0 by peer_ca = 1
2025-02-11 06:44:29 __info_callback,993: role=svr,state=23, TLSv1.3 SSLv3/TLS write certificate
2025-02-11 06:44:29 __info_callback,993: role=svr,state=40, TLSv1.3 TLSv1.3 write server certificate verify
2025-02-11 06:44:29 __info_callback,993: role=svr,state=36, TLSv1.3 SSLv3/TLS write finished
2025-02-11 06:44:29 __info_callback,993: role=svr,state=46, TLSv1.3 TLSv1.3 early data
2025-02-11 06:44:29 __info_callback,993: role=svr,state=46, TLSv1.3 TLSv1.3 early data
2025-02-11 06:44:29 TLSv1.3 write fatal alert: unknown
2025-02-11 06:44:29 fw_proto_ssl.c,1026: TLSv1.3 error
2025-02-11 06:44:29 fw_proto_ssl.c,__get_error,1615, err=167772359, error:0A0000C7:SSL routines::peer did not return a certificate.
2025-02-11 06:44:29 fw_proto_ssl.c,__get_error,1629, ret=-4, error=1, errno=0,Success.
2025-02-11 06:44:29 proxy_session.c,__proxy_session_cleanup, 118:cnt=0, session=0x558f996106bc.

 

 

On FG unit I can see the FGM is resetting the connection:

FGFMs: setting session 0x5578e5f67440 exclusive=0
FGFMs: Connect to 10.100.100.20:541, local 10.100.100.21:10514.
FGFMs: set_fgfm_sni SNI<fortinet-ca2.fortinet.com>
FGFMs: Load Cipher [ALL:!RC4:!EXPORT:@STRENGTH]
FGFMs: Load TLS 1.3 Cipher [TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256]
FGFMs: Set self_initiated = 1
FGFMs: before SSL initialization
FGFMs: CA to broadcast: subject fortinet-subca2001, issuer fortinet-ca2
FGFMs: Broadcast 1 CA subject names to FMG
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS read server hello
FGFMs: SSLv3/TLS write change cipher spec
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS write client hello
FGFMs: SSLv3/TLS read server hello
FGFMs: TLSv1.3 read encrypted extensions
FGFMs: SSLv3/TLS read server certificate request
FGFMs: Verified CA certificate 1: (subject: fortinet-subca2001, issuer: fortinet-ca2)
FGFMs: Verified peer certificate 0: (subject: *****, issuer: fortinet-subca2001)
FGFMs: SSLv3/TLS read server certificate
FGFMs: TLSv1.3 read server certificate verify
FGFMs: SSLv3/TLS read finished
FGFMs: SSLv3/TLS write client certificate
FGFMs: SSLv3/TLS write finished
FGFMs: SSL negotiation finished successfully
FGFMs: client:send:
get auth
serialno=*****
mgmtid=00000000-0000-0000-0000-000000000000
platform=FortiGate-VM64-KVM
fos_ver=700
minor=6
patch=2
build=3462
branch=3462
maxvdom=2
fg_ip=10.100.100.21
hostname=*****
harddisk=yes
biover=04000002
harddisk_size=32768
logdisk_size=32124
mgmt_mode=normal
enc_flags=0
mgmtip=10.100.100.21
mgmtport=443


FGFMs: [__get_error:1169] error=5, errno=104,Connection reset by peer.
FGFMs: [__get_error:1169] error=5, errno=32,Broken pipe.
FGFMs: SSL Alert read: fatal unknown
FGFMs: Cleanup session 0x5578e5f67440, 10.100.100.20.
FGFMs: Destroy session 0x5578e5f67440, 10.100.100.20.

 

Both units are running FortiOS v7.6.2.

 

I have tried also with versions 7.4.5 and FG version 7.2.10. No success!

I have gone through all the documentation and know everything about changes from the >= 7.4.6 and peer certificate SN validation, low encryption algorithms, etc. Nothing worked!!!

 

I have to mention that adding a production or PAYG FG in Azure works like a charm (even with the custom certificates generated via local PKI). So, my guess is that alongside other limitations of FG VM eval (e.g., maximum of 3 routes, 1 CPU and 2 GB of RAM), you cannot mange this FG VM with FGM. Apparently, this had worked before (at least to other folks on the Internet), but it seems like it does not work anymore.

Anyone have had any luck with this setup?

 

Thank you!

Labels:
863
0 Kudos
18 REPLIES 18
Rub_aprendicia
New Contributor II
In response to ricvil

Created on ‎04-02-2025 02:06 AM

Hi,

This is not true, the version FMG 7.6.2 has discontinued this command (**this command works in 7.6.1).

Thanks for your help

96
0 Kudos
Nur
Staff
Staff

Created on ‎03-24-2025 12:39 AM

Hi,

 

Possible for you to set fgfm-deny-unknown as disable in FortiManager ?

config system global
set fgfm-deny-unknown disable
end

189
Fern-X-1
New Contributor
In response to Nur

Created on ‎03-24-2025 07:55 PM

Hi @Nur 

"fgfm-deny-unknown" is already set to "disable".

Thanks!

168
0 Kudos
Nur
Staff
Staff

Created on ‎03-24-2025 11:40 PM

Hi,

 

1. Please check the FortiGate Serial Number at FGT Dashboars. o.

2. Go to System -> Certificates -> check "Fortinet_Factory" cert and expand to check the CN=<value is it a correct FGT Serial No.>

If not same, then at FGT run CLI command:

# get sys status <--------- copy FGT Serial No. Eg: FGTAWSXXXX

# exe vm-license <copied FGT Serial No.> <--------- this will trigger reboot FGT.

Eg:

exe vm-license FGTAXXXXXXX

 

 

Once FGT rebooted, go to System -> Certificates -> check "Fortinet_Factory" cert and expand to check is it the CN=FGTAXXXXXXXX

152
Great_Dane
New Contributor II
In response to Nur

Created on ‎03-28-2025 08:42 AM

Hi Nur,

 

Hm... I can confirm the CN for the "Fortinet_Factory" and the SN do not match. The CN for the "Fortinet_Factory" is "FortiGate". I wonder if this is a bug. It would be great if anyone else could confirm that on version 7.6.2 (but have also tried other version, like 7.4.5, etc.) they are facing same issue.

 

Regarding the suggested commands; I get "Failed to downlaod VM license".

133
0 Kudos
Rub_aprendicia
New Contributor II
In response to Nur

Created on ‎04-02-2025 04:09 AM Edited on ‎04-02-2025 04:10 AM

This commands doesnt work:

 

FGVMEV51ZHQUExxx # exec ping www.google.es
PING www.google.es (142.251.37.163): 56 data bytes
64 bytes from 142.251.37.163: icmp_seq=0 ttl=111 time=18.4 ms
64 bytes from 142.251.37.163: icmp_seq=1 ttl=111 time=26.9 ms
^C
--- www.google.es ping statistics ---
3 packets transmitted, 2 packets received, 33% packet loss
round-trip min/avg/max = 18.4/22.6/26.9 ms

 

FGVMEV51ZHQUEXXX # exec vm-license FGVMEV51ZHQUEXXX
This operation will reboot the system !
Do you want to continue? (y/n)y

Requesting FortiCare license token: *******, proxy:(null)
Failed to download VM license.

 

GET SYTEM STATUS:

....

IPS-Engine: 7.01026(2024-11-14 23:09)
Serial-Number: FGVMEV51ZHQUEXXX
License Status: Valid
VM Resources: 1 CPU/1 allowed, 1993 MB RAM/2048 MB allowed
Log hard disk: Not available
Hostname: FGVMEV51ZHQUEXXX
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 2
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable

....

 

Thanks for your support

77
0 Kudos
Rub_aprendicia
New Contributor II

Created on ‎04-02-2025 02:17 AM

HI everyone,

 

i would repeat this post from @AlexFerenX:

"

> I would really like to hear if someone have had any luck with this setup.

Any luck?

"

 

Because, NOBODY has configured FMG KVM with permanent trial version 7.6.2 that register with FGT 7.6.2 KVM with permanent Trial version.

 

 

(i have configured FMG KVM with trial version 7.6.1 with FortiGate KVM trial version 7.6.2, but, there are a lot of BUGs in FMG.7.6.1 and it is not support the FGT 7.6.2)

 

 

Thanks,

90
0 Kudos
Great_Dane
New Contributor II
In response to Rub_aprendicia

Created on ‎04-02-2025 06:11 AM Edited on ‎04-02-2025 06:14 AM

I have not worked with Fortigate for quite some time, but I had to come back to it because of a project I am currently working on.

 

In the past it was more like better not to have a demo version of FG at all, because it was full of bugs to that level that it would have been better if it had been forbidden by the law then someone able to download it.


Unfortunately, I see over the past few years nothing changed. I really don't know why Fortinet still sticks to this stripped down versions of their demo products, which works criminally bad, and does not offer a full-version of a product with limited BW capabilities, like other vendors do. This would be more than enough to have a decent lab environment you can use for PoC and lab testing. Just frustrating and discouraging for any engineer. Too shame! 

51
Rub_aprendicia
New Contributor II

Created on ‎04-02-2025 10:04 AM

And....

 

If you wish download new certificates created by you with the SN in the CN.

You can create the CSR for the FMG, without problems, and you can download the certificate and the root.ca

BUT....., When you create the CSR for the FGT, the RSA size to 512 is  ONLY OPTION for the FGT, this size limitation is very important, because a lot of C.A. doesnt work with this size the RSA, because it is deprecated. And the FGT has problem with the ROOT.CA too.

 

i only hope that in the next FMG Version 7.6.x (upper 7.6.2) the command for avoid the certificate comeback. PLEASE!!!

 

Thanks for your help,

30
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.