Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BarryGhuman
New Contributor II

Created on ‎10-28-2024 10:11 PM Edited on ‎10-29-2024 03:00 AM By Community Manager

certificate for FGFM protocol - Error (Auto Link Disabled)

Hi Team, 

 

I am applying Secure communication between FortiManger and FortiGate. The certificates are good and tested properly. 

 

Here are the errors and debugs:

FortiManager:

2024-10-28 22:07:06 { "client": "dmserver:907", "id": 30, "method": "exec", "params": [{ "data": { "device": 164, "force": 0, "sn": "FGT70FTK220----9", "sn list": []}, "target start": 3, "url": "start\/tunnel"}], "root": "fgfm"}
2024-10-28 22:07:06 FGFMs(FGT70FTK220----9-164-172.16.1.1): server:send:
2024-10-28 22:07:06 put auth
user=admin
passwd=******


2024-10-28 22:07:06 FGFMs(FGT70FTK220----9-164-172.16.1.1): server:
2024-10-28 22:07:06 reply 501
request=auth


2024-10-28 22:07:06 Response:
2024-10-28 22:07:06 { "id": 30, "result": [{ "status": { "code": 2, "message": "no permission"}, "url": "start\/tunnel"}]}
2024-10-28 22:07:06 Response [unknown]:
2024-10-28 22:07:06 { "id": 30, "result": [{ "status": { "code": 2, "message": "no permission"}, "url": "start\/tunnel"}]}
2024-10-28 22:07:06 Request:
2024-10-28 22:07:06 { "client": "dmserver:907", "id": 31, "method": "exec", "params": [{ "data": { "device": 164, "force": 0, "sn": "FGT70FTK220----9", "sn list": []}, "target start": 3, "url": "start\/tunnel"}], "root": "fgfm"}
2024-10-28 22:07:06 FGFMs(FGT70FTK22014599-164-172.16.1.1): server:send:
2024-10-28 22:07:06 put auth
user=admin
passwd=******


2024-10-28 22:07:06 FGFMs(FGT70FTK220----9-164-172.16.1.1): server:
2024-10-28 22:07:06 reply 501
request=auth


2024-10-28 22:07:06 Response:
2024-10-28 22:07:06 { "id": 31, "result": [{ "status": { "code": 2, "message": "no permission"}, "url": "start\/tunnel"}]}
2024-10-28 22:07:06 Response [unknown]:
2024-10-28 22:07:06 { "id": 31, "result": [{ "status": { "code": 2, "message": "no permission"}, "url": "start\/tunnel"}]}
2024-10-28 22:07:06 Request:
2024-10-28 22:07:06 { "client": "dmserver:907", "id": 32, "method": "exec", "params": [{ "data": { "device": 164, "force": 0, "sn": "FGT70FTK220----9", "sn list": []}, "target start": 3, "url": "start\/tunnel"}], "root": "fgfm"}
2024-10-28 22:07:06 FGFMs(FGT70FTK220----9-164-172.16.1.1): server:send:
2024-10-28 22:07:06 put auth
user=admin
passwd=******

 

The Error on FortiGate:

Message Administrator admin login failed from fgfm(172.16.1.101) because of invalid password

 

On the FortiManger - Here is the configuration:

config system global
set fgfm-ca-cert 1
set fgfm-cert-exclusive enable
set fgfm-local-cert "FAC"
set usg enable
end

 

It works after adding username and password for the device under the FortiManager using:

# execute device replace user <device_name> <username>

# execute device replace pw <device_name> <password>

 

I want to understand why the username and password needs to be added manually after successful certificate verification. 

Barinder Ghuman
Barinder Ghuman
Labels:
1056
0 Kudos
6 REPLIES 6
Jean-Philippe_P
Moderator
Moderator

Created on ‎10-31-2024 08:41 AM

Hello Barinder, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
990
0 Kudos
BarryGhuman
New Contributor II
In response to Jean-Philippe_P

Created on ‎10-31-2024 08:46 AM

Hi Jean, 

 

I found that manually adding the FMG serial number on FGT helps, but I want to know if this is the procedure. 

 

Regards, 

Barry Ghuman

Barinder Ghuman
Barinder Ghuman
985
Jean-Philippe_P
Moderator
Moderator
In response to BarryGhuman

Created on ‎10-31-2024 08:48 AM Edited on ‎10-31-2024 08:54 AM

Hello again :)

 

Thanks for the update, we will try to find somebody who can answer that!

@AEK @pminarik @Debbie_FTNT do you have maybe an idea?

 

Have a great day.

Jean-Philippe - Fortinet Community Team
983
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎10-31-2024 01:29 PM

Hello Barry

Which FGT and FMG versions?

AEK
AEK
940
Debbie_FTNT
Staff
Staff

Created on ‎11-01-2024 05:21 AM

Hey Barinder,

In addition to certificate, FortiManager does also need a valid administrator login for FortiGate. Usually, FortiManager is used to push configuration to FortiGate, and this has to happen under a specific admin account.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
896
BarryGhuman
New Contributor II
In response to Debbie_FTNT

Created on ‎11-01-2024 08:14 AM

Hi Debbie, 

 

I think there is a missing flow here. When manually adding the FortiManager serial number under the FortiGate "config system central-management". 

 

Could you verify if adding a serial number is required because it is not mentioned in the configuration guides? 

 

I am using 7.0.12 FMG and 7.0.16 FGT. 

 

Regards, 

Barry Ghuman

Barinder Ghuman
Barinder Ghuman
883
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.