FCP_FMG_AD-7.4 Device Registration

Device Registration Detailed Explanation

2.1 FortiGate Registration Process

What is Device Registration in FortiManager?

Device registration is the process of connecting a FortiGate firewall to FortiManager so that it can be centrally managed, monitored, and configured.

Before a FortiGate firewall can be managed by FortiManager, it must go through the registration process, which involves four key steps:

1. Connecting FortiGate to FortiManager

• The FortiGate firewall needs to be configured to communicate with FortiManager.
• FortiGate and FortiManager must be reachable over the network.
• Correct management ports (TCP/541 and TCP/443) must be open to allow communication.

2. Authorizing the Device within FortiManager

• When a FortiGate requests registration, it appears in the Pending Devices section in FortiManager.
• An administrator must manually approve or reject the device.

3. Assigning the Device to an Administrative Domain (ADOM)

• If ADOMs (Administrative Domains) are enabled, the device must be assigned to the correct ADOM.
• If ADOMs are disabled, the device is automatically assigned to the root ADOM.

4. Synchronizing Device Settings

• After approval, FortiManager retrieves existing configuration settings from FortiGate.
• This ensures that FortiManager and FortiGate settings match.

Hands-on Lab: Checking Connectivity Before Registration

Before registering the device, you need to make sure that FortiGate can communicate with FortiManager.

Step 1: Check Network Connectivity

On the FortiGate device, run the following command to ping FortiManager:

execute ping <FortiManager_IP>

If the ping is successful, the network connection is working. If it fails, check:

• Network routing between FortiGate and FortiManager.
• Firewall policies that might be blocking traffic.

Step 2: Verify FortiGate’s Management Configuration

To check the current FortiManager settings on FortiGate, run:

show system central-management

If the output shows FortiManager settings, the device is already configured for central management.

Step 3: Open Required Ports on FortiGate

To ensure that FortiGate can communicate with FortiManager, you may need to allow the following ports:

• TCP/541 → FortiGate uses this port to communicate with FortiManager.
• TCP/443 → Required for web-based management access.

Use the following CLI command to allow FortiManager access:

config system interface
    edit "port1"
        set allowaccess ping https ssh fgfm
    next
end

This command ensures that ping, HTTPS, SSH, and FortiGate-FortiManager (fgfm) connections are enabled on the management interface.

2.2 Methods of Device Registration

There are four primary methods for registering FortiGate devices with FortiManager. Let’s go through them step by step.

1. Manual Registration (GUI-based)

This method requires an administrator to manually enter the FortiGate device’s details into FortiManager.

Steps for Manual Registration:

1. Log in to the FortiManager GUI.
2. Navigate to Device Manager.
3. Click "Add Device".
4. Fill in the following details:

• Device Name: Give a recognizable name to the FortiGate.
• IP Address: Enter the FortiGate’s management IP address.
• Username & Password: Provide admin credentials for FortiGate.

5. Click OK to save.
6. The device will appear under Pending Devices.
7. Manually approve the device in FortiManager.

Hands-on Lab: Manual Registration

Try registering a FortiGate manually and verify its status under Device Manager.

2. Automatic Registration (Pre-configured Setup)

This method is useful for large-scale deployments where devices are pre-configured to contact FortiManager.

How Automatic Registration Works

1. The FortiGate device is pre-configured with FortiManager’s IP.
2. When the device connects to the network, it automatically sends a registration request.
3. The administrator logs into FortiManager and approves the request.

CLI Configuration for Automatic Registration

On the FortiGate device, run the following CLI commands:

config system central-management
    set type fortimanager
    set fmg 192.168.1.100  # Replace with your FortiManager IP
end

Once this is set, the FortiGate device automatically appears in FortiManager for approval.

Hands-on Lab: Automatic Registration

Try setting up automatic registration and see if FortiManager detects the device automatically.

3. Zero-Touch Provisioning (ZTP)

Best for large enterprises deploying multiple devices at once.

How ZTP Works

1. FortiDeploy Cloud automatically assigns the correct FortiManager IP to new FortiGate devices.
2. The devices connect to FortiManager without manual intervention.
3. The administrator only approves the request.

Advantages of ZTP

• No manual setup required.
• Works out of the box.
• Ideal for remote branch deployments.

Hands-on Lab: ZTP

If you have access to FortiDeploy, try setting up Zero-Touch Provisioning.

4. Script-Based Registration (CLI-based)

If you prefer using the CLI, you can manually register a FortiGate device using the following commands.

CLI Commands for Manual Registration

config system central-management
    set type fortimanager
    set fmg 192.168.1.100  # Replace with FortiManager’s IP
    set fmg-source-ip 192.168.1.1  # Optional: Specify source IP
end

Hands-on Lab: Script-Based Registration

• Run the above commands on FortiGate CLI.
• Log into FortiManager and approve the request.

2.3 Device Connectivity Status

After a device is registered, FortiManager displays its status to indicate whether it is properly connected.

Status	Meaning
Pending Approval	The device has requested registration but is waiting for administrator approval.
Authorized	The device is registered and managed by FortiManager.
Unauthorized	The device was rejected by an administrator.
Disconnected	The device is offline and not communicating with FortiManager.

Checking Device Status in CLI

To check FortiGate’s connection status, use the following command:

diagnose sys central-management status

This command provides real-time information about whether FortiGate is properly registered and communicating with FortiManager.

Hands-on Lab: Checking Connection Status

Run the above command and verify whether:

• The device is connected to FortiManager.
• The status is Authorized.

2.4 Troubleshooting FortiGate Registration Issues

Even after configuring a FortiGate device to register with FortiManager, you may encounter registration failures or connection issues. Below are the common problems and how to fix them.

1. FortiGate is not appearing in FortiManager (Registration Failure)

Possible Causes:

• The FortiManager IP is incorrect in the FortiGate configuration.
• Network connectivity between FortiGate and FortiManager is blocked.
• The required management ports (TCP/541 and TCP/443) are closed.
• FortiGate is in a different subnet and cannot reach FortiManager.
• The FortiGate firmware is incompatible with FortiManager.

Solution:

1. Verify the IP address configuration
   Run the following command on FortiGate:

show system central-management

Ensure that the FortiManager IP is correct.

2. Check network connectivity
   Try pinging FortiManager from FortiGate:

execute ping <FortiManager_IP>

If ping fails, check the routing and firewall policies.

3. Check if FortiManager is reachable on the required ports
   From FortiGate, run:

execute telnet <FortiManager_IP> 541
execute telnet <FortiManager_IP> 443

If the connection fails, make sure that TCP/541 and TCP/443 are open.

2. FortiGate is stuck in "Pending Approval" state

Possible Causes:

• The FortiGate has sent a request, but no administrator has approved it in FortiManager.
• The wrong ADOM (Administrative Domain) was selected during approval.
• The FortiGate firmware version does not match FortiManager’s expected version.

Solution:

1. Check pending devices in FortiManager

• Log in to FortiManager GUI.
• Go to Device Manager → Pending Devices.
• Select the FortiGate and click Approve.

2. Check if ADOMs are enabled

• Go to System Settings → ADOMs.
• Ensure that the FortiGate is assigned to the correct ADOM.

3. Verify Firmware Compatibility

• Go to System Settings → FortiGuard.
• Check the supported firmware versions.
• If the FortiGate firmware is too old, consider upgrading it.

3. FortiGate is showing as "Disconnected" in FortiManager

Possible Causes:

• The FortiGate device is powered off.
• The network connection is lost between FortiGate and FortiManager.
• FortiManager reached the device limit (in licensed versions).
• The FortiGate management IP has changed, and FortiManager cannot reach it.

Solution:

1. Check FortiGate’s connectivity from CLI

diagnose sys central-management status

This command shows whether FortiGate is communicating with FortiManager.

2. Re-establish the connection manually If FortiGate is no longer communicating, try re-registering it:

config system central-management
   set type fortimanager
   set fmg <FortiManager_IP>
end

3. Check the device limit on FortiManager

• If you are using a trial version, check how many devices can be registered.

2.5 Managing Registered Devices in FortiManager

Once a FortiGate device is successfully registered in FortiManager, you can perform various management tasks.

1. Viewing Registered Devices

• Go to Device Manager → Managed Devices.
• You will see a list of all FortiGate devices.

2. Synchronizing Configuration

After registering a device, FortiManager retrieves its existing configuration.

How to manually synchronize a device:

1. Go to Device Manager.
2. Click on the FortiGate device.
3. Click Retrieve Config.

Alternatively, you can synchronize via CLI:

diagnose sys central-management sync-status

2.6 Policy Synchronization Between FortiManager and FortiGate

When a device is first registered, FortiManager does not automatically apply new policies. The administrator must push the policy packages to FortiGate.

Steps to Apply Policies from FortiManager to FortiGate

1. Log in to FortiManager.
2. Go to Policy & Objects.
3. Select the Policy Package assigned to the device.
4. Click Install Wizard.
5. Choose the target FortiGate device.
6. Click Install.

Checking Policy Sync Status in CLI

On FortiGate, you can check if the latest policies are applied:

diagnose sys cmdb status

2.7 Hands-on Lab Exercises

These exercises will help you practice the concepts we covered.

Exercise 1: Manually Register a FortiGate Device

1. Log into FortiManager GUI.
2. Go to Device Manager and click Add Device.
3. Enter:

• Device Name: Branch-Firewall
• IP Address: 192.168.1.10
• Admin Username & Password.

4. Click OK.
5. Approve the device in Pending Devices.

Exercise 2: Register FortiGate Using CLI

1. Open FortiGate CLI.

2. Run:

config system central-management
   set type fortimanager
   set fmg 192.168.1.100  # Replace with your FortiManager IP
end

3. Log into FortiManager and approve the device.

Exercise 3: Troubleshoot a Disconnected FortiGate

1. Run the following command on FortiGate:

diagnose sys central-management status

2. If FortiGate is disconnected, try re-registering it.

3. Run:

execute ping <FortiManager_IP>

If ping fails, check network connectivity.