Issue when adding FortiGate to FortiManager

Irah · ‎12-28-2025

Hi,

I am looking for help.

I am trying to add FortiGate 7.6.4 KVM to FortiManager 7.6.4 KVM, but it doesn't work.

From FMG, I am getting the "Probe failed" error message for both OAuth Login (after successful login) and Legacy Login.

From FG, I am getting the following errors:

From GUI

From CLI

Connectivity test is OK:

FG can ping FMG and vice versa
FMG-Access is enabled on the FG interface connected to FMG
Telnet to FMG IP 541 from FG is successful

Other information:

fgfm-allow-vm is enabled on FMG
FAZ 7.6.4 KVM is successfully added to FMG
execute central-mgmt register-device on FG does nothing
I am not using a custom certificate

lenenkash · ‎12-28-2025

I don’t think it’s possible to add Fortigate trial version in FMG and FAZ. I came to the conclusion that :

-In the certificate that a FortiGate running in evaluation mode sends to FortiManager to establish the tunnel, the serial number is missing from the common name field. As a result, FortiManager refuses to establish the connection because the certificate does not meet the validation requirements.

-No amount of configuration or troubleshooting will make the connection succeed. The issue is directly related to the certificate structure, therefore the tunnel cannot be formed in this mode.

https://9apps.ooo/

yderek · ‎12-28-2025

@Irah Since this is VM as FMG by default not allowed the VM connection, can you try to allow the VM connection from FMG site ?

On your FMG open CLI and try below command

=======================

config sys global

set fgfm-allow-vm enable

end

=====================

Now try to authorised again see whether you can

Irah · ‎12-28-2025

fgfm-allow-vm is already enabled

yderek · ‎12-28-2025

Hi

@Irah Can you run below command and upload here ?

On FortiGate

==========================

get router info routing-table details 10.0.0.100

config vpn certificate local
get Fortinet_Factory
exec ping-option data-size 1500

exe ping-options df-bit y
exec ping 10.0.0.100

exec ping-option data-size 1420

exe ping-options df-bit y
exec ping 10.0.0.100

show firewall local-in-policy

==========================

On FMG site

==========================

config system global

get

==========================

Irah · ‎12-28-2025

Here,

yderek · ‎12-28-2025

@Irah I can see your FMG has below setting

set enc-algorithm high
Can you change to high on FG site as well ?

config system central-management
set enc-algorithm high
end

Also FortiGate certificate has CN=Fortigate, which it should be serial number

Which something looks like below

Which cloud platform is the FortiGate hosted as VM ?

Irah · ‎12-29-2025

enc-algorithm high is not available on FG. So I set it to low on FMG.

I am using KVM on CML

yderek · ‎12-29-2025

I think that still something to do with your Factory certificate using FortiGate device name instead of serial number, see our previous conversation , if you have valid license file , upload the license file again

This can also be done via the GUI. Navigate to System -> FortiGuard, expand Virtual machine and choose FortiGate VM license and re-upload the license file.

Or alternatively use command below

exec vm-license <token>

Those Command might require you reboot the FG afterwards, if this is production enviroment, do this afterhours

Irah · ‎12-30-2025

I am using the permanent trial license. Tried to set up another instance. It is the same thing. The Factory cert CN=FortiGate.

PS: This is not a production env.

Issue when adding FortiGate to FortiManager

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website