Fortinet black logo

New Features

Enable high encryption on FGFM protocol for unlicensed FortiGate-VMs 7.2.1

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:632477
Download PDF

Enable high encryption on FGFM protocol for unlicensed FortiGate-VMs 7.2.1

For FortiManager to manage unlicensed FortiGate-VMs, FortiOS enables high encryption on the FortiGate to FortiManager (FGFM) protocol for secure connection between the FortiGate and FortiManager. In this context, a FortiGate-VM is considered unlicensed if it does not have any license applied, including evaluation licenses. After adding the FortiGate-VMs to device manager, FortiManager can install VM licenses to the managed FortiGate-VMs.

For example, in a situation where you deployed five unlicensed FortiGate-VMs, you can configure the CLI to point to the FortiManager for central management for all five VMs. FortiManager can then communicate with these VMs over high encryption and manage them.

The example below demonstrates that after configuring central management from the unlicensed VM's CLI (in this case a VM with an invalid license), FortiOS can initiate a secure TLS 1.3 session to the FortiManager and establish a connection. Subsequently, FortiManager can add this device to device management and install a VM license to it.

To allow FortiManager to apply license to an unlicensed FortiGate-VM instance:
  1. Confirm that the FortiGate is unlicensed by running get system status in the FortiOS CLI. The following shows expected output for this command:

    Version: FortiGate-VM64 v7.2.1,build1242,220715 (interim) ... Serial-Number: FGVMEVNXFLTGKOBC License Status: Invalid VM Resources: 2 CPU/1 allowed, 3963 MB RAM/2048 MB allowed

  2. In the FortiOS CLI, configure the FortiManager:

    config system central-management set type fortimanager set fmg "<FortiManager IP address>" end

  3. In the FortiOS CLI, confirm that the FortiGate-VM can connect to FortiManager by running diagnose fdsm central-mgmt-status. The following shows expected output for this command:

    Connection status: Handshake Registration status: Unknown FGFMs: Create session 0x114988a0. FGFMs: setting session 0x114988a0 exclusive=0 FGFMs: Connect to 10.6.30.239:541, local 10.6.30.74:22055. FGFMs: cert_id<0>, sni<support.>FGFMs: set_fgfm_sni SNI<support.fortinet.com> FGFMs: Load Cipher [ALL:!RC4:!EXPORT:@STRENGTH] FGFMs: before SSL initialization FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS read server hello FGFMs: SSLv3/TLS write change cipher spec FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS read server hello FGFMs: TLSv1.3 read encrypted extensions FGFMs: SSLv3/TLS read server certificate request FGFMs: SSLv3/TLS read server certificate FGFMs: Remote issuer is /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com. FGFMs: issuer matching...try next if not match... localissuer(support), remoteissuer(support) FGFMs: Root issuer matched, local=remote=support FGFMs: TLSv1.3 read server certificate verify FGFMs: SSLv3/TLS read finished FGFMs: SSLv3/TLS write client certificate FGFMs: SSLv3/TLS write certificate verify FGFMs: SSLv3/TLS write finished FGFMs: SSL negotiation finished successfully FGFMs: client:send: get auth serialno=FGVMEVNXFLTGKOBC mgmtid=00000000-0000-0000-0000-000000000000 platform=FortiGate-VM64 fos_ver=700 minor=2 patch=1 build=1242 branch=1242 maxvdom=2 fg_ip=10.6.30.74 hostname=FGT-ESXi-REGR harddisk=yes biover=04000002 harddisk_size=30720 logdisk_size=30235 mgmt_mode=normal enc_flags=0 mgmtip=10.6.30.74 mgmtport=443 FGFMs: SSL negotiation finished successfully FGFMs: SSL negotiation finished successfully FGFMs: SSLv3/TLS read server session ticket FGFMs: SSL negotiation finished successfully FGFMs: SSL negotiation finished successfully FGFMs: SSLv3/TLS read server session ticket FGFMs: client: reply 200 request=auth serialno=FMG-VMTM21011759 user= passwd= mgmtport=443 keepalive_interval=120 chan_window_sz=32768 sock_timeout=360 mgmtid=2016070622 FGFMs: [__chg_by_fgfm_msg] set keepalive_interval: 120 FGFMs: [__chg_by_fgfm_msg] set channel buffer/window size to 32768 bytes FGFMs: [__chg_by_fgfm_msg] set sock timeout: 360 FGFMs: client:send: reply 501 request=auth FGFMs: serial no FMG-VMTM21011759 saved to FMG detect file FGFMs: Entering __cmdb_event_centmgmt_handler 1364. FGFMs: Entering fgfm_clt_restart 373. FGFMs: Cleanup session 0x114988a0, 10.6.30.239. FGFMs: Destroy session 0x114988a0, 10.6.30.239. FGFMs: Create session 0x114a0e40. FGFMs: setting session 0x114a0e40 exclusive=0 FGFMs: Connect to 10.6.30.239:541, local 10.6.30.74:22056. FGFMs: cert_id<0>, sni<support.>FGFMs: set_fgfm_sni SNI<support.fortinet.com> FGFMs: Load Cipher [ALL:!RC4:!EXPORT:@STRENGTH] FGFMs: before SSL initialization FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS read server hello FGFMs: SSLv3/TLS write change cipher spec FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS read server hello FGFMs: TLSv1.3 read encrypted extensions FGFMs: SSLv3/TLS read server certificate request FGFMs: SSLv3/TLS read server certificate FGFMs: Remote issuer is /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com. FGFMs: issuer matching...try next if not match... localissuer(support), remoteissuer(support) FGFMs: Root issuer matched, local=remote=support FGFMs: TLSv1.3 read server certificate verify FGFMs: SSLv3/TLS read finished FGFMs: SSLv3/TLS write client certificate FGFMs: SSLv3/TLS write certificate verify FGFMs: SSLv3/TLS write finished FGFMs: SSL negotiation finished successfully FGFMs: client:send: get auth serialno=FGVMEVNXFLTGKOBC mgmtid=00000000-0000-0000-0000-000000000000 platform=FortiGate-VM64

  4. Register the FortiGate to FortiManager by running execute central-mgmt register-device <FortiManager SN> xxxxxx in the FortiOS CLI. Use the password that you configured in step 2.
  5. In FortiManager, authorize the unlicensed FortiGate-VM from the Unregistered Devices list.
  6. In the FortiOS CLI, confirm that the FortiGate-VM registered to FortiManager by running diagnose fdsm central-mgmt-status. The following shows expected output for this command:

    Connection status: Up Registration status: Registered

  7. In FortiManager, right-click the FortiGate, then select Install VM License.

  8. In the FortiOS GUI, confirm that the FortiGate-VM has received a license from the FortiManager.

Enable high encryption on FGFM protocol for unlicensed FortiGate-VMs 7.2.1

For FortiManager to manage unlicensed FortiGate-VMs, FortiOS enables high encryption on the FortiGate to FortiManager (FGFM) protocol for secure connection between the FortiGate and FortiManager. In this context, a FortiGate-VM is considered unlicensed if it does not have any license applied, including evaluation licenses. After adding the FortiGate-VMs to device manager, FortiManager can install VM licenses to the managed FortiGate-VMs.

For example, in a situation where you deployed five unlicensed FortiGate-VMs, you can configure the CLI to point to the FortiManager for central management for all five VMs. FortiManager can then communicate with these VMs over high encryption and manage them.

The example below demonstrates that after configuring central management from the unlicensed VM's CLI (in this case a VM with an invalid license), FortiOS can initiate a secure TLS 1.3 session to the FortiManager and establish a connection. Subsequently, FortiManager can add this device to device management and install a VM license to it.

To allow FortiManager to apply license to an unlicensed FortiGate-VM instance:
  1. Confirm that the FortiGate is unlicensed by running get system status in the FortiOS CLI. The following shows expected output for this command:

    Version: FortiGate-VM64 v7.2.1,build1242,220715 (interim) ... Serial-Number: FGVMEVNXFLTGKOBC License Status: Invalid VM Resources: 2 CPU/1 allowed, 3963 MB RAM/2048 MB allowed

  2. In the FortiOS CLI, configure the FortiManager:

    config system central-management set type fortimanager set fmg "<FortiManager IP address>" end

  3. In the FortiOS CLI, confirm that the FortiGate-VM can connect to FortiManager by running diagnose fdsm central-mgmt-status. The following shows expected output for this command:

    Connection status: Handshake Registration status: Unknown FGFMs: Create session 0x114988a0. FGFMs: setting session 0x114988a0 exclusive=0 FGFMs: Connect to 10.6.30.239:541, local 10.6.30.74:22055. FGFMs: cert_id<0>, sni<support.>FGFMs: set_fgfm_sni SNI<support.fortinet.com> FGFMs: Load Cipher [ALL:!RC4:!EXPORT:@STRENGTH] FGFMs: before SSL initialization FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS read server hello FGFMs: SSLv3/TLS write change cipher spec FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS read server hello FGFMs: TLSv1.3 read encrypted extensions FGFMs: SSLv3/TLS read server certificate request FGFMs: SSLv3/TLS read server certificate FGFMs: Remote issuer is /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com. FGFMs: issuer matching...try next if not match... localissuer(support), remoteissuer(support) FGFMs: Root issuer matched, local=remote=support FGFMs: TLSv1.3 read server certificate verify FGFMs: SSLv3/TLS read finished FGFMs: SSLv3/TLS write client certificate FGFMs: SSLv3/TLS write certificate verify FGFMs: SSLv3/TLS write finished FGFMs: SSL negotiation finished successfully FGFMs: client:send: get auth serialno=FGVMEVNXFLTGKOBC mgmtid=00000000-0000-0000-0000-000000000000 platform=FortiGate-VM64 fos_ver=700 minor=2 patch=1 build=1242 branch=1242 maxvdom=2 fg_ip=10.6.30.74 hostname=FGT-ESXi-REGR harddisk=yes biover=04000002 harddisk_size=30720 logdisk_size=30235 mgmt_mode=normal enc_flags=0 mgmtip=10.6.30.74 mgmtport=443 FGFMs: SSL negotiation finished successfully FGFMs: SSL negotiation finished successfully FGFMs: SSLv3/TLS read server session ticket FGFMs: SSL negotiation finished successfully FGFMs: SSL negotiation finished successfully FGFMs: SSLv3/TLS read server session ticket FGFMs: client: reply 200 request=auth serialno=FMG-VMTM21011759 user= passwd= mgmtport=443 keepalive_interval=120 chan_window_sz=32768 sock_timeout=360 mgmtid=2016070622 FGFMs: [__chg_by_fgfm_msg] set keepalive_interval: 120 FGFMs: [__chg_by_fgfm_msg] set channel buffer/window size to 32768 bytes FGFMs: [__chg_by_fgfm_msg] set sock timeout: 360 FGFMs: client:send: reply 501 request=auth FGFMs: serial no FMG-VMTM21011759 saved to FMG detect file FGFMs: Entering __cmdb_event_centmgmt_handler 1364. FGFMs: Entering fgfm_clt_restart 373. FGFMs: Cleanup session 0x114988a0, 10.6.30.239. FGFMs: Destroy session 0x114988a0, 10.6.30.239. FGFMs: Create session 0x114a0e40. FGFMs: setting session 0x114a0e40 exclusive=0 FGFMs: Connect to 10.6.30.239:541, local 10.6.30.74:22056. FGFMs: cert_id<0>, sni<support.>FGFMs: set_fgfm_sni SNI<support.fortinet.com> FGFMs: Load Cipher [ALL:!RC4:!EXPORT:@STRENGTH] FGFMs: before SSL initialization FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS read server hello FGFMs: SSLv3/TLS write change cipher spec FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS write client hello FGFMs: SSLv3/TLS read server hello FGFMs: TLSv1.3 read encrypted extensions FGFMs: SSLv3/TLS read server certificate request FGFMs: SSLv3/TLS read server certificate FGFMs: Remote issuer is /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com. FGFMs: issuer matching...try next if not match... localissuer(support), remoteissuer(support) FGFMs: Root issuer matched, local=remote=support FGFMs: TLSv1.3 read server certificate verify FGFMs: SSLv3/TLS read finished FGFMs: SSLv3/TLS write client certificate FGFMs: SSLv3/TLS write certificate verify FGFMs: SSLv3/TLS write finished FGFMs: SSL negotiation finished successfully FGFMs: client:send: get auth serialno=FGVMEVNXFLTGKOBC mgmtid=00000000-0000-0000-0000-000000000000 platform=FortiGate-VM64

  4. Register the FortiGate to FortiManager by running execute central-mgmt register-device <FortiManager SN> xxxxxx in the FortiOS CLI. Use the password that you configured in step 2.
  5. In FortiManager, authorize the unlicensed FortiGate-VM from the Unregistered Devices list.
  6. In the FortiOS CLI, confirm that the FortiGate-VM registered to FortiManager by running diagnose fdsm central-mgmt-status. The following shows expected output for this command:

    Connection status: Up Registration status: Registered

  7. In FortiManager, right-click the FortiGate, then select Install VM License.

  8. In the FortiOS GUI, confirm that the FortiGate-VM has received a license from the FortiManager.