Fortinet black logo

New Features

Validating FortiManager’s certificate before connection 7.2.8

Validating FortiManager’s certificate before connection 7.2.8

Note

This information is also available in the FortiOS 7.2 Administration Guide:

As part of a security enhancement, FortiGate initiated connections to central management using an on-premise FortiManager will have the following requirements:

  • When initiating the connection to FortiManager from the FortiOS GUI, administrators must validate and accept the FortiManager serial number from the FortiManager certificate before a connection is established.

  • When initiating the connection to FortiManager from the FortiOS CLI, administrators must preconfigure the FortiManager serial number in central-management before a connection is established.

    config system central-management
        set type fortimanager
        set serial-number <FortiManager serial number>
        set fmg <IP/domain name>
    end
To add a FortiManager to the Security Fabric in the GUI:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the Central Management card.
  2. In the Settings tab, set the Status to Enabled.
  3. Set the Type to On-Premises.

  4. Enter the IP/Domain Name of the FortiManager.
  5. Click OK.

    The Verify FortiManager Serial Number pane appears.

  6. Review the serial number, and click Accept.

    The Request Sent & Received pane appears, indicating the FortiGate must be authorized on FortiManager.

  7. Click OK.
  8. Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
  9. After the FortiGate is registered, log in to FortiGate again as either read-only or read/write.
  10. Go to Security Fabric > Fabric Connectors and double-click the Central Management card. The Connection Status is updated to Connected.

To add a FortiManager to the Security Fabric in the CLI:
  1. Enter the FortiManager connection information:

    config system central-management set type fortimanager set fmg {<IP_address> | <Domain name>} set serial-number <FMG serial number> end

  2. Approve the returned FortiManager serial number.

    When configuring the FortiManager connection from the CLI, no prompt is available to approve the returned FortiManager serial number. Enter the following:

    # execute central-mgmt <fmg-serial-no> <PSK>
    Note

    If you have not previously configured a model device in FortiManager and leveraged a pre-shared key for registration, you can enter any character for the PSK field in the execute central-mgmt command.

  3. Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
  4. If necessary on FortiGate, use the diagnose fdsm central-mgmt-status command to diagnose the connection.
    • If the connection is not yet successful because the FortiManager serial number is not verified, the following information is displayed:

      # diagnose fdsm central-mgmt-status Connection status: Handshake Registration status: Unknown Serial: FMGVMSTM2300xxxx

    • If the connection is up, but the FortiGate has not been authorized by FortiManager, the following information is displayed:

      # diagnose fdsm central-mgmt-status Connection status: Up Registration status: Unregistered Serial: FMGVMSTM2300xxxx

    • If the connection is up, and the FortiGate has been authorized, the following information is displayed:

      # diagnose fdsm central-mgmt-status Connection status: Up Registration status: Registered Serial: FMGVMSTM2300xxxx

Validating FortiManager’s certificate before connection 7.2.8

Note

This information is also available in the FortiOS 7.2 Administration Guide:

As part of a security enhancement, FortiGate initiated connections to central management using an on-premise FortiManager will have the following requirements:

  • When initiating the connection to FortiManager from the FortiOS GUI, administrators must validate and accept the FortiManager serial number from the FortiManager certificate before a connection is established.

  • When initiating the connection to FortiManager from the FortiOS CLI, administrators must preconfigure the FortiManager serial number in central-management before a connection is established.

    config system central-management
        set type fortimanager
        set serial-number <FortiManager serial number>
        set fmg <IP/domain name>
    end
To add a FortiManager to the Security Fabric in the GUI:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the Central Management card.
  2. In the Settings tab, set the Status to Enabled.
  3. Set the Type to On-Premises.

  4. Enter the IP/Domain Name of the FortiManager.
  5. Click OK.

    The Verify FortiManager Serial Number pane appears.

  6. Review the serial number, and click Accept.

    The Request Sent & Received pane appears, indicating the FortiGate must be authorized on FortiManager.

  7. Click OK.
  8. Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
  9. After the FortiGate is registered, log in to FortiGate again as either read-only or read/write.
  10. Go to Security Fabric > Fabric Connectors and double-click the Central Management card. The Connection Status is updated to Connected.

To add a FortiManager to the Security Fabric in the CLI:
  1. Enter the FortiManager connection information:

    config system central-management set type fortimanager set fmg {<IP_address> | <Domain name>} set serial-number <FMG serial number> end

  2. Approve the returned FortiManager serial number.

    When configuring the FortiManager connection from the CLI, no prompt is available to approve the returned FortiManager serial number. Enter the following:

    # execute central-mgmt <fmg-serial-no> <PSK>
    Note

    If you have not previously configured a model device in FortiManager and leveraged a pre-shared key for registration, you can enter any character for the PSK field in the execute central-mgmt command.

  3. Go to FortiManager and authorize the FortiGate. See Authorizing the FortiGate in FortiManager.
  4. If necessary on FortiGate, use the diagnose fdsm central-mgmt-status command to diagnose the connection.
    • If the connection is not yet successful because the FortiManager serial number is not verified, the following information is displayed:

      # diagnose fdsm central-mgmt-status Connection status: Handshake Registration status: Unknown Serial: FMGVMSTM2300xxxx

    • If the connection is up, but the FortiGate has not been authorized by FortiManager, the following information is displayed:

      # diagnose fdsm central-mgmt-status Connection status: Up Registration status: Unregistered Serial: FMGVMSTM2300xxxx

    • If the connection is up, and the FortiGate has been authorized, the following information is displayed:

      # diagnose fdsm central-mgmt-status Connection status: Up Registration status: Registered Serial: FMGVMSTM2300xxxx