Description
This article explains how to add the FortiGate successfully when the error 'Probe failed' appears on FortiManager with RADIUS user credentials if the FortiGate’s management vdom is not root.
Useful links:
Fortinet Documentation
FortiManager handbook: https://docs.fortinet.com/product/fortimanager/6.2
Set up RADIUS authentication on FortiGate: https://kb.fortinet.com/kb/documentLink.do?externalID=FD36127
Solution
The error 'Probe failed.' happens under the following conditions:
- a VDOM other than root is management vdom
- the RADIUS configuration (config user radius, config user group) is not in the root vdom
- it does not matter what interface the FortiManager reaches on FortiGate
To add the FortiGate successfully, the following configuration changes need to be made:
1) Create an inter-vdom-link between root and management vdom, and assign each side an IP like a transfer subnet.
Example:
This article explains how to add the FortiGate successfully when the error 'Probe failed' appears on FortiManager with RADIUS user credentials if the FortiGate’s management vdom is not root.
Useful links:
Fortinet Documentation
FortiManager handbook: https://docs.fortinet.com/product/fortimanager/6.2
Set up RADIUS authentication on FortiGate: https://kb.fortinet.com/kb/documentLink.do?externalID=FD36127
Solution
The error 'Probe failed.' happens under the following conditions:
- a VDOM other than root is management vdom
- the RADIUS configuration (config user radius, config user group) is not in the root vdom
- it does not matter what interface the FortiManager reaches on FortiGate
To add the FortiGate successfully, the following configuration changes need to be made:
1) Create an inter-vdom-link between root and management vdom, and assign each side an IP like a transfer subnet.
Example:
#config global
config system interface
edit "<inter-vdom-link0>"
set vdom "root"
set ip 192.168.200.2 255.255.255.252
set allowaccess ping https ssh fgfm
next
edit "<inter-vdom-link1>"
set vdom "test"
set ip 192.168.200.1 255.255.255.252
set allowaccess ping https ssh fgfm
next
end
end
2) Copy 'config user radius' and 'config user group' from management vdom to root-vdom
Note: the objects must have the same name in both root and management vdom
3) Create a route to RADIUS server via inter-vdom-link in root-vdom#config vdom4) Create a policy in management vdom from inter-vdom-link to RADIUS server (wan1 in diagram)
edit root
config router static
edit 1
set dst <radius-server IP> 255.255.255.255
set gateway <inter-vdom-link IP on mgmt-vdom-side>
set device <inter-vdom-link>
next
end
end#config vdomthe RADIUS server
edit <management-vdom>
config firewall policy
edit 1
set name "RADIUS-passthrough"
set srcintf "npu0_vlink1"
set dstintf "wan1"
set srcaddr "source-root-RADIUS"
set dstaddr "RADIUS-server"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
config firewall address
edit " RADIUS-server "
set subnet <radius-server IP> 255.255.255.255 ##this is the IP of#next5) Add the FortiGate in FortiManager under ‘Device Manager’ with the RADIUS admin credentials
end
config firewall address
edit " source-root-RADIUS""
set uuid 4628ae76-aecd-51e9-92cf-bf0d3399da0e
set subnet <inter-vdom-link-IP> 255.255.255.255 ##this is the IP of the inter-vdom-link on root side
next
end
Notes: It is assumed that RADIUS authentication is already set up in the management VDOM and works successful
Refer to https://kb.fortinet.com/kb/documentLink.do?externalID=FD36127 on how to set up RADIUS authentication on FortiGate
