Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Validating FortiManager’s certificate before connection 7.0.15

    Validating FortiManager’s certificate before connection 7.0.15

    As part of a security enhancement, FortiGate initiated connections to central management using an on-premise FortiManager will have the following requirements:

    • When initiating the connection to FortiManager from the FortiOS GUI, administrators must validate and accept the FortiManager serial number from the FortiManager certificate before a connection is established.

    • When initiating the connection to FortiManager from the FortiOS CLI, administrators must preconfigure the FortiManager serial number in central-management before a connection is established.

      config system central-management
    set type fortimanager
    set serial-number <FortiManager serial number>
    set fmg <IP/domain name>
end
    To add a FortiManager to the Security Fabric using the GUI:
    1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the FortiManager card.

      The FortiManager card is used to configure the FortiManager connection information.

    2. For Status, click Enable.
    3. For Type, click On-Premise.

    4. Enter the IP/Domain Name of the FortiManager.
    5. Click OK.

      The Verify FortiManager Serial Number pane appears.

    6. Review the serial number, and click Accept.

      The Confirm pane appears, indicating the FortiGate must be authorized on FortiManager.

    7. Click OK.
    8. Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
    9. After the FortiGate is registered, log in to FortiGate again as either read-only or read/write.
    10. Go to Security Fabric > Fabric Connectors and double-click the FortiManager card. The Status is updated to Enabled.

    To add a FortiManager to the Security Fabric using the CLI:
    1. Provide FortiManager connection information:
      config system central-management
    set type fortimanager
    set fmg {<IP_address> | <Domain name>}
    set serial-number <FMG serial number>
end
    2. Approve the returned FortiManager serial number:

      When configuring the FortiManager connection from the CLI, no prompt is available to approve the returned FortiManager serial number. Therefore you must provide the following command:

      execute central-mgmt <fmg-serial-no> <PSK>
      Note

      If you have not previously configured a model device in FortiManager and leveraged a pre-shared key for registration, you can enter any character for the PSK field in the execute central-mgmt command.

    3. Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
    4. If necessary on FortiGate, use the diagnose fdsm central-mgmt-status command to diagnose the connection.
      • If the connection is not yet successful because the FortiManager serial number is not verified, the following information is displayed:
        # diagnose fdsm central-mgmt-status
Connection status: Handshake
Registration status: Unknown
Serial: FMGVMSTM2300xxxx

      • If the connection is up, but the FortiGate has not been authorized by FortiManager, the following information is displayed:

        # diagnose fdsm central-mgmt-status
Connection status: Up
Registration status: Unregistered
Serial: FMGVMSTM2300xxxx

      • If the connection is up, and the FortiGate has been authorized, the following information is displayed:

        # diagnose fdsm central-mgmt-status
Connection status: Up
Registration status: Registered
Serial: FMGVMSTM2300xxxx
    Previous
    Next

    Validating FortiManager’s certificate before connection 7.0.15

    Validating FortiManager’s certificate before connection 7.0.15

    As part of a security enhancement, FortiGate initiated connections to central management using an on-premise FortiManager will have the following requirements:

    • When initiating the connection to FortiManager from the FortiOS GUI, administrators must validate and accept the FortiManager serial number from the FortiManager certificate before a connection is established.

    • When initiating the connection to FortiManager from the FortiOS CLI, administrators must preconfigure the FortiManager serial number in central-management before a connection is established.

      config system central-management
    set type fortimanager
    set serial-number <FortiManager serial number>
    set fmg <IP/domain name>
end
    To add a FortiManager to the Security Fabric using the GUI:
    1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the FortiManager card.

      The FortiManager card is used to configure the FortiManager connection information.

    2. For Status, click Enable.
    3. For Type, click On-Premise.

    4. Enter the IP/Domain Name of the FortiManager.
    5. Click OK.

      The Verify FortiManager Serial Number pane appears.

    6. Review the serial number, and click Accept.

      The Confirm pane appears, indicating the FortiGate must be authorized on FortiManager.

    7. Click OK.
    8. Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
    9. After the FortiGate is registered, log in to FortiGate again as either read-only or read/write.
    10. Go to Security Fabric > Fabric Connectors and double-click the FortiManager card. The Status is updated to Enabled.

    To add a FortiManager to the Security Fabric using the CLI:
    1. Provide FortiManager connection information:
      config system central-management
    set type fortimanager
    set fmg {<IP_address> | <Domain name>}
    set serial-number <FMG serial number>
end
    2. Approve the returned FortiManager serial number:

      When configuring the FortiManager connection from the CLI, no prompt is available to approve the returned FortiManager serial number. Therefore you must provide the following command:

      execute central-mgmt <fmg-serial-no> <PSK>
      Note

      If you have not previously configured a model device in FortiManager and leveraged a pre-shared key for registration, you can enter any character for the PSK field in the execute central-mgmt command.

    3. Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
    4. If necessary on FortiGate, use the diagnose fdsm central-mgmt-status command to diagnose the connection.
      • If the connection is not yet successful because the FortiManager serial number is not verified, the following information is displayed:
        # diagnose fdsm central-mgmt-status
Connection status: Handshake
Registration status: Unknown
Serial: FMGVMSTM2300xxxx

      • If the connection is up, but the FortiGate has not been authorized by FortiManager, the following information is displayed:

        # diagnose fdsm central-mgmt-status
Connection status: Up
Registration status: Unregistered
Serial: FMGVMSTM2300xxxx

      • If the connection is up, and the FortiGate has been authorized, the following information is displayed:

        # diagnose fdsm central-mgmt-status
Connection status: Up
Registration status: Registered
Serial: FMGVMSTM2300xxxx
    Previous
    Next