Validating FortiManager’s certificate before connection 7.2.8
This information is also available in the FortiOS 7.2 Administration Guide: |
As part of a security enhancement, FortiGate initiated connections to central management using an on-premise FortiManager will have the following requirements:
-
When initiating the connection to FortiManager from the FortiOS GUI, administrators must validate and accept the FortiManager serial number from the FortiManager certificate before a connection is established.
-
When initiating the connection to FortiManager from the FortiOS CLI, administrators must preconfigure the FortiManager serial number in
central-management
before a connection is established.config system central-management set type fortimanager set serial-number <FortiManager serial number> set fmg <IP/domain name> end
To add a FortiManager to the Security Fabric in the GUI:
- On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the Central Management card.
- In the Settings tab, set the Status to Enabled.
- Set the Type to On-Premises.
- Enter the IP/Domain Name of the FortiManager.
- Click OK.
The Verify FortiManager Serial Number pane appears.
- Review the serial number, and click Accept.
The Request Sent & Received pane appears, indicating the FortiGate must be authorized on FortiManager.
- Click OK.
- Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
- After the FortiGate is registered, log in to FortiGate again as either read-only or read/write.
- Go to Security Fabric > Fabric Connectors and double-click the Central Management card. The Connection Status is updated to Connected.
To add a FortiManager to the Security Fabric in the CLI:
- Enter the FortiManager connection information:
config system central-management set type fortimanager set fmg {<IP_address> | <Domain name>} set serial-number <FMG serial number> end
- Approve the returned FortiManager serial number.
When configuring the FortiManager connection from the CLI, no prompt is available to approve the returned FortiManager serial number. Enter the following:
# execute central-mgmt <fmg-serial-no> <PSK>
If you have not previously configured a model device in FortiManager and leveraged a pre-shared key for registration, you can enter any character for the PSK field in the
execute central-mgmt
command. - Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
- If necessary on FortiGate, use the
diagnose fdsm central-mgmt-status
command to diagnose the connection.- If the connection is not yet successful because the FortiManager serial number is not verified, the following information is displayed:
# diagnose fdsm central-mgmt-status Connection status: Handshake Registration status: Unknown Serial: FMGVMSTM2300xxxx
If the connection is up, but the FortiGate has not been authorized by FortiManager, the following information is displayed:
# diagnose fdsm central-mgmt-status Connection status: Up Registration status: Unregistered Serial: FMGVMSTM2300xxxx
If the connection is up, and the FortiGate has been authorized, the following information is displayed:
# diagnose fdsm central-mgmt-status Connection status: Up Registration status: Registered Serial: FMGVMSTM2300xxxx
- If the connection is not yet successful because the FortiManager serial number is not verified, the following information is displayed: