Fortinet black logo

Tunneling

Copy Link
Copy Doc ID 067f5236-ca6d-11e9-8977-00505692583a:792511
Download PDF

Tunneling

All other management traffic, which at this point will only be RTM traffic, is tunneled through the SSL connection with an fgfm header identifying the packet data as an IP packet to be extracted and passed to the device over a tunnel interface (see next section for more details).

Tunnel setup details

The following settings are sent from FortiManager to the FortiGate unit during the setup of the fgfm tunnel:

Note

To enable the following viewing, you must log in to the FortiGate CLI with the administrative account and enter the following debug commands:

# diagnose debug enable

# diagnose debug application fgfmd 255

After entering the above commands, you will see the following log printed out on the FortiGate CLI during fgfm tunnel setup:

......
FGFMs: Set managment id 247331677 OK.
FGFMs: [__chg_by_fgfm_msg] set keepalive_interval: 300
FGFMs: [__chg_by_fgfm_msg] set channel buffer/window size to 32768 bytes
FGFMs: [__chg_by_fgfm_msg] set sock timeout: 900
FGFMs: [fgfm_msg_put_tuninfo] vdom=’root’, physical_intf=, intf=’wan1’
FGFMs: client:send:
get ip
first_fmgid=
probe_mode=yes
vdom=root
intf=wan1
FGFMs: client:
reply 200
overwrite_fmgid=1
request=ip
ip=169.254.0.2
mgmtid=247331677
register_status=1
fmg_ip=192.168.48.46
keepalive_interval=300
chan_window_sz=32768
sock_timeout=900
FGFMs: [__chg_by_fgfm_msg] set keepalive_interval: 300
FGFMs: [__chg_by_fgfm_msg] set channel buffer/window size to 32768 bytes
FGFMs: [__chg_by_fgfm_msg] set sock timeout: 900
...... 

Tunneling

All other management traffic, which at this point will only be RTM traffic, is tunneled through the SSL connection with an fgfm header identifying the packet data as an IP packet to be extracted and passed to the device over a tunnel interface (see next section for more details).

Tunnel setup details

The following settings are sent from FortiManager to the FortiGate unit during the setup of the fgfm tunnel:

Note

To enable the following viewing, you must log in to the FortiGate CLI with the administrative account and enter the following debug commands:

# diagnose debug enable

# diagnose debug application fgfmd 255

After entering the above commands, you will see the following log printed out on the FortiGate CLI during fgfm tunnel setup:

......
FGFMs: Set managment id 247331677 OK.
FGFMs: [__chg_by_fgfm_msg] set keepalive_interval: 300
FGFMs: [__chg_by_fgfm_msg] set channel buffer/window size to 32768 bytes
FGFMs: [__chg_by_fgfm_msg] set sock timeout: 900
FGFMs: [fgfm_msg_put_tuninfo] vdom=’root’, physical_intf=, intf=’wan1’
FGFMs: client:send:
get ip
first_fmgid=
probe_mode=yes
vdom=root
intf=wan1
FGFMs: client:
reply 200
overwrite_fmgid=1
request=ip
ip=169.254.0.2
mgmtid=247331677
register_status=1
fmg_ip=192.168.48.46
keepalive_interval=300
chan_window_sz=32768
sock_timeout=900
FGFMs: [__chg_by_fgfm_msg] set keepalive_interval: 300
FGFMs: [__chg_by_fgfm_msg] set channel buffer/window size to 32768 bytes
FGFMs: [__chg_by_fgfm_msg] set sock timeout: 900
......