FGFM – FortiGate to FortiManager protocol

FGFM – FortiGate to FortiManager protocol

The FortiGate to FortiManager (FGFM) protocol is designed for FortiGate and FortiManager deployment scenarios, especially where NAT is used. These scenarios include the FortiManager on public internet while the FortiGate unit is behind NAT, FortiGate unit is on public internet while FortiManager is behind NAT, or both FortiManager and FortiGate unit have routable IP addresses.

The FortiManager unit’s Device Manager uses FGFM to create new device groups, provision and add devices, and install policy packages and device settings.

Port 541 is the default port used for FortiManager traffic on the internal management network.

Adding a FortiGate to the FortiManager

Adding a FortiGate unit to a FortiManager requires configuration on both devices. This section describes the basics to configure management using a FortiManager device.

FortiGate configuration

Adding a FortiGate unit to FortiManager will ensure that the unit will be able to receive antivirus and IPS updates and allow remote management through the FortiManager system, or FortiCloud service. The FortiGate unit can be in either NAT or transparent mode. The FortiManager unit provides remote management of a FortiGate unit over TCP port 541.

You must first enable Central Management on the FortiGate so management updates to firmware and FortiGuard services are available:

  1. Go to System > Settings.
  2. Set Central Management to FortiManager.
  3. Enter the FortiManager’s IP/Domain Name in the field provided, and select Send Request.

You can also select Registration Password and enter a password to connect to the FortiManager.

To configure the previous steps in the CLI, enter the following:

config system central-management set fmg <ip_address>

end

To use the registration password, enter the following:

execute central-mgmt register-device <fmg-serial-no><fmg-registerpassword><fgtusrname><fgt-password>

Configuring an SSL connection

The default encryption automatically sets high and medium encryption algorithms. Algorithms used for High, Medium, and Low follow the openssl definitions below:

FGFM                   to FortiManager protocol

Encryption level Key strength Algorithms used
High Key lengths larger than 128 bits, and some cipher suites with 128-bit keys. DHE-RSA-AES256-SHA:AES256-SHA: EDH-RSA-

DES-CBC3-SHA: DES-CBC3-SHA:DES-CBC3-

MD5:DHE-RSA-AES128-SHA:AES128-SHA

Medium Key strengths of 128 bit encryption. RC4-SHA:RC4-MD5:RC4-MD
Low Key strengths of 64 or 56 bit encryption algorithms but excluding export cipher suites. EDH-RSA-DES-CDBC-SHA; DES-CBC-SHA; DESCBC-MD5

An SSL connection can be configured between the two devices and an encryption level selected. To configure the connection in the CLI, Enter the following:

config system central-management set status enable

set enc-algorithm (default | high | low) – default automatically sets high and medium encryption algorithms. end

FortiManager configuration

Use the Device Manager pane to add, configure, and manage devices.

You can add existing operational devices, unregistered devices, provision new devices, and add multiple devices at a time.

Adding an operating FortiGate HA cluster to the Device Manager pane is similar to adding a standalone device. Type the IP address of the master device. The FortiManager will handle the cluster as a single managed device.

To confirm that a device model or firmware version is supported by current firmware version running on FortiManager, enter the following CLI command: diagnose dvm supported-platforms list

See the FortiManager Administration Guide for full details on adding devices, under Device Manager.

FGFM is also used in ADOMs (Administrative Domains) set to Normal Mode. Normal Mode has Read/Write privileges, where the administrator is able to make changes to the ADOM and manage devices from the FortiManager. FortiGate units in the ADOM will query their own configuration every five seconds. If there has been a configuration change, the FortiGate unit will send a revision on the change to the FortiManager using the FGFM protocol.

To configure central management on the FortiGate unit, enter the following on the FortiGate:

config system central-management set mode backup set fortimanager-fds-override enable set fmg <FortiManager_IP_address> end

FGFM – FortiGate to FortiManager protocol

Replacing a FortiGate in a FortiManager configuration

FGFM can be used in order to re-establish a connection between a FortiGate unit and a FortiManager configuration. This is useful for if you need a FortiGate unit replaced following an RMA hardware replacement. This applies to a FortiGate running in HA as the primary units; it does not apply to subordinate units.

When the FortiGate unit is replaced, perform a Device Manager Connectivity check or Refresh on teh FortiManager to establish the FGFM management tunnel to the FortiGate. If it fails, to establish, you can force the tunnel by executing the following command on the FortiManager:

exec fgfm reclaim-dev-tunnel <device_name>

Debugging FGFM on FortiManager

  • To display diagnostic information for troubleshooting (Set the debug level of FGFM daemon. Enter a device name to only show messages related to that device): diag debug application fgfmsd <integer> <device_name>
  • To view installation session, object, and session lists:

diag fgfm install-session diag fgfm object-list diag fgfm session-list <device_ID> l To reclaim a management tunnel (device name is optional): execute fgfm reclaim-dev-tunnnel <device_name> l To view the link-local address assigned to the FortiManager: diag fmnetwork interface list

Debugging FGFM on FortiGate

  • To view information about the Central Management System configuration: get system central-management l To produce realtime debugging information: diag debug application fgfmd -1
  • To view the link-local address assigned to the FortiManager:

diag fmnetwork interface list

 

This entry was posted in FortiGate, FortiManager on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.