FGFM - FortiGate to FortiManager Protocol

The FortiGate to FortiManager (FGFM) protocol is designed for FortiGate and FortiManager deployment scenarios, especially where NAT is used. These scenarios include the FortiManager on public internet while the FortiGate unit is behind NAT, FortiGate unit is on public internet while FortiManager is behind NAT, or both FortiManager and FortiGate unit have routable IP addresses.

The FortiManager unit's Device Manager uses FGFM to create new device groups, provision and add devices, and install policy packages and device settings.

Port 541 is the default port used for FortiManager traffic on the internal management network. Port 542 is also used to establish IPv6 connection.

Adding a FortiGate to the FortiManager

Adding a FortiGate unit to a FortiManager requires configuration on both devices. This section describes the basics to configure management using a FortiManager device.

FortiGate configuration

Adding a FortiGate unit to FortiManager will ensure that the unit will be able to receive antivirus and IPS updates and allow remote management through the FortiManager system, or FortiCloud service. The FortiGate unit can be in either NAT or transparent mode. The FortiManager unit provides remote management of a FortiGate unit over TCP port 541.

You must first enable Central Management on the FortiGate so management updates to firmware and FortiGuard services are available:

  1. Go to Security Fabric > Settings.
  2. Enable Central Management and set Type to FortiManager.
  3. Enter the FortiManager's IP/Domain Name in the field provided.

 

To configure the previous steps in the CLI, enter the following - note that fmg can be set to either an IP address or FQDN:

config system central-management

set fmg <string>

end

 

To use the registration password, enter the following:

execute central-mgmt register-device <fmg-serial-no> <fmg-register-password>

 

 

FGFM is also used in ADOMs (Administrative Domains) set to Normal Mode. Normal Mode has Read/Write privileges, where the administrator is able to make changes to the ADOM and manage devices from the FortiManager. FortiGate units in the ADOM will query their own configuration every five seconds. If there has been a configuration change, the FortiGate unit will send a revision on the change to the FortiManager using the FGFM protocol.

To configure central management on the FortiGate unit, enter the following on the FortiGate:

config system central-management

set mode normal

set fortimanager-fds-override enable

set fmg <string>

end

Configuring an SSL connection

The default encryption automatically sets high and medium encryption algorithms. Algorithms used for High, Medium, and Low follow the openssl definitions below:

Encryption level Key strength Algorithms used
High Key lengths larger than 128 bits, and some cipher suites with 128-bit keys. DHE-RSA-AES256-SHA:AES256-SHA: EDH-RSA-DES-CBC3-SHA: DES-CBC3-SHA:DES-CBC3- MD5:DHE-RSA-AES128-SHA:AES128-SHA
Medium Key strengths of 128 bit encryption. RC4-SHA:RC4-MD5:RC4-MD
Low Key strengths of 64 or 56 bit encryption algorithms but excluding export cipher suites. EDH-RSA-DES-CDBC-SHA; DES-CBC-SHA; DES-CBC-MD5

An SSL connection can be configured between the two devices and an encryption level selected. To configure the connection in the CLI, enter the following:

config system central-management

set status enable

set enc-algorithm (default | high | low)

end

 

Note that default automatically sets high and medium encryption algorithms.

FortiManager configuration

Use the Device Manager pane to add, configure, and manage devices.

You can add existing operational devices, unregistered devices, provision new devices, and add multiple devices at a time.

Adding an operating FortiGate HA cluster to the Device Manager pane is similar to adding a standalone device. Type the IP address of the primary device. The FortiManager will handle the cluster as a single managed device.

note icon

To confirm that a device model or firmware version is supported by current firmware version running on FortiManager, enter the following CLI command:

diagnose dvm supported-platforms list

Replacing a FortiGate in a FortiManager configuration

FGFM can be used in order to re-establish a connection between a FortiGate unit and a FortiManager configuration. This is useful for if you need a FortiGate unit replaced following an RMA hardware replacement. This applies to a FortiGate running in HA as the primary units; it does not apply to subordinate units.

When the FortiGate unit is replaced, perform a Device Manager Connectivity check or Refresh on the FortiManager to establish the FGFM management tunnel to the FortiGate. If it fails to establish, you can force the tunnel by executing the following command on the FortiManager:

execute fgfm reclaim-dev-tunnel <device_name>

Debugging FGFM on FortiManager

  • To display diagnostic information for troubleshooting, set the debug level of the FGFM daemon (enter a device name to only show messages related to that device):

diagnose debug application fgfmsd <integer> <device_name>

 

  • To view installation session, object, and session lists:

diagnose fgfm install-session

diagnose fgfm object-list

diagnose fgfm session-list <device_ID>

 

  • To reclaim a management tunnel (device name is optional):

execute fgfm reclaim-dev-tunnnel <device_name>

 

  • To view the link-local address assigned to the FortiManager:

diagnose fmnetwork interface list

Debugging FGFM on FortiGate

  • To view information about the Central Management System configuration:

get system central-management

 

  • To produce realtime debugging information:

diagnose debug application fgfmd -1

 

  • To view the link-local address assigned to the FortiManager:

diagnose fmnetwork interface list

FortiOS DHCP options and auto DNS hostname for FortiManager details

A diagnose command can be used to show the FortiManager autodiscovery status for the secure sending of FortiManager details to FortiGate.

FortiGate is occasionally required in large deployments where a Zero Touch Provisioning (ZTP) of the unit is required.

Rather than using the CLI Console to configure system settings one at a time, ZTP can help to reduce errors, save time in automated device configuration, and enhance scalability.

This functionality is designed to work even in a closed network with no Internet access.

To verify the FortiManager autodiscovery status, use the following command:

diagnose fdsm fmg-auto-discovery-status