• Matt Sherif

Troubleshooting a device that won't add to FortiManager

I was working in the lab this morning and wanting to build an ADVPN infrastructure with real FortiGates (VMware server is running out of room, figure I can offload where I can).

I added my FortiGates to FortiManager, and when I went to authorize, they all succeeded save for one, I got this message:

Curious, I wasn't sure what to make of this. So I decided to check the CLI Reference Guide to see what CLI tools were available to figure this out. I came across this one:

diagnose test deploymanager reloadconf <devid>

Hmmm interesting - this seems to effectively be the same as "retrieve config" from the GUI. But I need the device ID, ok, I know this one:

diagnose dvm device list

This is what I got:

Note the OID - in this case our device is ID 381

Ok cool, so now I can run the deploymanager test:

Now I think I found my issue, but I don't fully understand the output. A little digging with colleagues led me to think this is the bit of FortiGate config that is causing FortiManager to choke. So I decided to look at this on the FortiGate in question:

show firewall internet-service-name

Hmmmm... well this is certainly an issue, this FortiGate is running a near base config, with only the WAN IPs, gateway, and SD-WAN configured. I have seen blank entries in the ISDB cause other issues in the past, so it's probably a good idea to delete this.

Attempt #1:

Well, it was worth a shot. Dang it!

Attempt #2:

What I did here was just export the config, open it in my favorite text editor and delete the offending entry. I then restored the config and rebooted the FortiGate.

Upon reboot, I double checked the ISDB again:

Hooray! it's gone! Ok, now to retrieve the config from FMG:

Great! FortiManager is happy now.


If you're having trouble retrieving the config from a FortiGate, take a look at the diagnose commands above, they may be able to help you identify where there's an issue in your config.

Hopefully this helps. Thank you for reading.