FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
sfrati
Staff
Staff
Article Id 352347

Description

 

This article describes how to add devices when FortiManager is configured with 'fgfm-deny-unknown enable'.

 

When this CLI setting is configured:

 

config system global

set fgfm-deny-unknown enable

end

 

FortiManager rejects all management requests from devices with serial numbers which are not already in its Device Manager Database.

In this case, if the FGFM connection is initiated by a new FortiGate, it will not appear as an Unauthorized Device in FortiManager.

If this new FortiGate is behind NAT, then FortiManager also cannot use FGFM discovery to connect to the FortiGate.

 

When a FortiGate is configured to contact a FortiManager with this setting enabled, the FortiManager will show event logs containing this message:


msg="Deny request from an unregistred device [fgt_serial] ([connecting_IP])"

 

Note for FortiGate HA: The steps in this article are not applicable when adding a FortiGate HA setup.

 

Scope

 

FortiManager / FortiManager Cloud.

 

Solution

 

In the above scenario, the only way to add a new FortiGate is to first create it in the Device Manager Database. Here are a few possible ways to do that.

 

Option 1. Device Manager (Normal mode ADOM) -> Add Device -> Add Model Device.

 

Important Note:

After creating a model device in a Normal mode ADOM, FortiManager automatically assigns a default configuration to it. If this default configuration is not modified, FortiManager will push it as is to the newly connected FortiGate, effectively deleting its running configuration.
This can be avoided by following the instructions below.

 

  • In FortiManager versions 7.4 and up, disable 'auto-link' when creating the model device, by turning off the option 'Automatically Link to Real Device'.

    iyotov_0-1730311355103.png

     

  • In FortiManager v7.2.8 +, the option 'Automatically Link to Real Device' is not available in the Add Device screen, but it can be still disabled after that by editing the already added model device.

    2024-11-19 11_28_02-FortiManager-VM64_ 10.109.20.194 — Mozilla Firefox.png
     
  • In all other FortiManager versions:
    • Backup the running FortiGate configuration from the FortiGate GUI.
    • In FortiManager, go to the Device Manager, select the new Model Device, and navigate to its Dashboard.
    • Find the 'Configuration and Installation' widget and open the Revision History.

      iyotov_1-1730311355112.png

 

  • In the Revision History window, select More -> Import Revision.

    iyotov_2-1730311355117.png

 

  • When selecting the FortiGate config file to import.

    iyotov_3-1730311355120.png
    iyotov_4-1730311355125.png

 

  • When done, the revision count will remain 0 and the imported revision will not be visible in the revision history table.
    To confirm that the config was imported and reloaded in the 'device database' of the modem device, go again to the 'Configuration and Installation' widget, and open the 'Device Configuration DB'.

    iyotov_5-1730311355136.png

 

  • The next screen contains a FortiOS CLI format where some key parts of the imported config can be verified, to confirm that the intended config file was correctly imported. For example hostname, interface IPs, etc..

 

iyotov_8-1730311949391.png

 

Option 2Use temporary Backup Mode ADOM (not applicable for FortiManager Cloud):

  • Create a new Backup ADOM.

 

iyotov_0-1730457923331.png

 

  • Then enter this Backup ADOM and navigate to Device Manager -> Add Device -> Add Model Device to create the model device.
  • When the real FortiGate connects and matches the model device, FortiManager will trigger auto-link task but only retrieve the device config, without starting an installation.
  • When the task is complete, move the device to a normal mode ADOM to manage it.

Option 3. Create a new 'real' (non-model) device directly into the FortiManager Device Manager Database using JSON API. Refer to How to add a real FortiGate device to FortiManager using an API query. This option allows multiple devices to be added with automation tools and is more convenient when a large number of new FortiGates need to be added.