FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jonathan_Body_FTNT
Article Id 196876

Description

This article explains how to understand the secure communication between FortiManager and managed FortiGate devices and how to verify connections via the CLI of the FortiManager.


Scope

FortiManager 4.0 and above.  FortiOS 4.0 and above.


Solution

A SSL tunnel is used to secure communications between the FortiManager and FortiGate devices. IPv4 link-local addresses from the following subnet 169.254.0.0/16 are used as point to point addresses between the FortiManager and the FortiGate.
 
1.  All IPv4 link-local addresses assigned to remote devices inside the tunnel can seen be with the following CLI commands on the FortiManager.

FMG1KC-2 # diag debug en

FMG1KC-2 # diag fgfm session-list
Session List
device(mfg1-HA-Cluster)ip(10.180.1.1)tunnel(0.0.0.0)uptime:
device(ofgtest-HA-Cluster)ip(10.170.1.11)tunnel(0.0.0.0)uptime:
device(ofg1-HA-Cluster)ip(10.170.1.1)tunnel(0.0.0.0)uptime:device(mkdfw2-HA-Cluster)ip(172.18.41.70)tunnel(0.0.0.0)uptime:

FMG1KC-2 #

2.  The link-local address assigned to the FortiManager can be seen by running the following CLI command on the FortiManager.

FMG1KC-2 # diagnose fmnetwork interface list

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:229997 errors:0 dropped:0 overruns:0 frame:0
          TX packets:229997 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:24087792 (22.9 MiB)  TX bytes:24087792 (22.9 MiB)

port1     Link encap:Ethernet  HWaddr 84:2B:2B:5D:14:91
          inet addr:10.169.1.171  Bcast:10.169.1.255  Mask:255.255.254.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7199911 errors:0 dropped:0 overruns:0 frame:0
          TX packets:89424 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:627731365 (598.6 MiB)  TX bytes:14234237 (13.5 MiB)
          Interrupt:209 Memory:da000000-da012800

port2     Link encap:Ethernet  HWaddr 84:2B:2B:5D:14:92
          inet addr:192.168.183.171  Bcast:192.168.183.255  Mask:255.255.254.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:16415654 errors:0 dropped:0 overruns:0 frame:0
          TX packets:274388 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1366668405 (1.2 GiB)  TX bytes:23945339 (22.8 MiB)
          Interrupt:217 Memory:dc000000-dc012800

port3     Link encap:Ethernet  HWaddr 00:09:0F:E2:C7:AC
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Base address:0xec80 Memory:df440000-df460000

port4     Link encap:Ethernet  HWaddr 00:09:0F:E2:C7:AD
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Base address:0xecc0 Memory:df460000-df480000

svr_fgfm  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:169.254.0.1  P-t-P:169.254.0.1  Mask:255.255.0.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:17106 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17081 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:2162786 (2.0 MiB)  TX bytes:1474159 (1.4 MiB)

 

 

 

Contributors