Description
This article explains how to understand the secure communication between FortiManager and managed FortiGate devices and how to verify connections via the CLI of the FortiManager.
Scope
FortiManager 4.0 and above. FortiOS 4.0 and above.
Solution
A SSL tunnel is used to secure communications between the FortiManager and FortiGate devices. IPv4 link-local addresses from the following subnet 169.254.0.0/16 are used as point to point addresses between the FortiManager and the FortiGate.
1. All IPv4 link-local addresses assigned to remote devices inside the tunnel can seen be with the following CLI commands on the FortiManager.
FMG1KC-2 # diag debug en
FMG1KC-2 # diag fgfm session-list Session List device(mfg1-HA-Cluster)ip(10.180.1.1)tunnel(0.0.0.0)uptime: device(ofgtest-HA-Cluster)ip(10.170.1.11)tunnel(0.0.0.0)uptime: device(ofg1-HA-Cluster)ip(10.170.1.1)tunnel(0.0.0.0)uptime:device(mkdfw2-HA-Cluster)ip(172.18.41.70)tunnel(0.0.0.0)uptime:
FMG1KC-2 #
|
2. The link-local address assigned to the FortiManager can be seen by running the following CLI command on the FortiManager.
FMG1KC-2 # diagnose fmnetwork interface list
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:229997 errors:0 dropped:0 overruns:0 frame:0 TX packets:229997 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:24087792 (22.9 MiB) TX bytes:24087792 (22.9 MiB)
port1 Link encap:Ethernet HWaddr 84:2B:2B:5D:14:91 inet addr:10.169.1.171 Bcast:10.169.1.255 Mask:255.255.254.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:7199911 errors:0 dropped:0 overruns:0 frame:0 TX packets:89424 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:627731365 (598.6 MiB) TX bytes:14234237 (13.5 MiB) Interrupt:209 Memory:da000000-da012800
port2 Link encap:Ethernet HWaddr 84:2B:2B:5D:14:92 inet addr:192.168.183.171 Bcast:192.168.183.255 Mask:255.255.254.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:16415654 errors:0 dropped:0 overruns:0 frame:0 TX packets:274388 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1366668405 (1.2 GiB) TX bytes:23945339 (22.8 MiB) Interrupt:217 Memory:dc000000-dc012800
port3 Link encap:Ethernet HWaddr 00:09:0F:E2:C7:AC UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Base address:0xec80 Memory:df440000-df460000
port4 Link encap:Ethernet HWaddr 00:09:0F:E2:C7:AD UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Base address:0xecc0 Memory:df460000-df480000
svr_fgfm Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:169.254.0.1 P-t-P:169.254.0.1 Mask:255.255.0.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:17106 errors:0 dropped:0 overruns:0 frame:0 TX packets:17081 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:2162786 (2.0 MiB) TX bytes:1474159 (1.4 MiB)
|