I was working in the lab this morning and wanting to build an ADVPN infrastructure with real FortiGates (VMware server is running out of room, figure I can offload where I can).
I added my FortiGates to FortiManager, and when I went to authorize, they all succeeded save for one, I got this message:
Curious, I wasn't sure what to make of this. So I decided to check the CLI Reference Guide to see what CLI tools were available to figure this out. I came across this one:
diagnose test deploymanager reloadconf <devid>
Hmmm interesting - this seems to effectively be the same as "retrieve config" from the GUI. But I need the device ID, ok, I know this one:
diagnose dvm device list
This is what I got:
Ok cool, so now I can run the deploymanager test:
Now I think I found my issue, but I don't fully understand the output. A little digging with colleagues led me to think this is the bit of FortiGate config that is causing FortiManager to choke. So I decided to look at this on the FortiGate in question:
show firewall internet-service-name
Hmmmm... well this is certainly an issue, this FortiGate is running a near base config, with only the WAN IPs, gateway, and SD-WAN configured. I have seen blank entries in the ISDB cause other issues in the past, so it's probably a good idea to delete this.
Attempt #1:
Well, it was worth a shot. Dang it!
Attempt #2:
What I did here was just export the config, open it in my favorite text editor and delete the offending entry. I then restored the config and rebooted the FortiGate.
Upon reboot, I double checked the ISDB again:
Hooray! it's gone! Ok, now to retrieve the config from FMG:
Great! FortiManager is happy now.
Takeaway:
If you're having trouble retrieving the config from a FortiGate, take a look at the diagnose commands above, they may be able to help you identify where there's an issue in your config.
Hopefully this helps. Thank you for reading.
Kommentare