IBM Support

Problem with deleting certificates on FortiGate

Troubleshooting


Problem

Network setup includes FortiGate (FortiOS 6.0.4) device managed by FortiManager (FortiOS 6.0.4).
On FortiManager FortiGate appears as 'out-of-sync'.
FortiManager is unable to install config on target FortiGate device.

Symptom

1. On FortiManager FortiGate appears as 'out-of-sync' (for erroneous device 'Config status' field indicates 'Conflict' preceded by red 'X' icon).
2. Upon trying to install config from FortiManager customer receives following error:
Can not delete a static table entry
Command fail. Return code -61

Cause

As part of a certificate bundled, update FortiGates can receive update for existing predefined certificates. In some cases, the certificate uses a new name, which ends up being considered 'new configuration' on the Firewalls.

This configuration entry cannot be deleted by an admin user.

As FortiGate is managed by FortiManager, the FortiGate attempts to notify FortiManager of this configuration changes by using 'auto-update'. Unfortunately 'auto-update' option is disabled on target FortiManager so FortiGate fails on that notification attempt.

If the FortiManager does not receive these updates, customer not only sees the FortiGate show up on the FortiManager as out-of-sync. They also observed that FortiManager attempts to delete the new certificate during the next installation attempt.

Diagnosing The Problem

1. Check 'auto-update' setting on FortiManager:
# get system admin setting
2. Check FortiGate status on 'Device Manager' section of FortiManager
(for erroneous device 'Config status' field indicates 'Conflict' preceded by red 'X' icon,
for devices in synchronized state 'Config status' field indicates 'Synchronized'.

Resolving The Problem

'auto-update' setting on FortiManager device needs to be set to 'enable' state:
# config system admin setting
   set auto-update enable
end
Alternatively:
On FortiManager 'Retrieve Config' operation must be initiated for FortiGate out of sync.
More information on how to Retrieve Config on FortiManager can be found here.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB61","label":"IBM Technology Lifecycle Services"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SGMV04","label":"IBM Support Services for Multivendor Network and Security"},"ARM Category":[{"code":"a8m0z000000cxhxAAA","label":"IBM Support Services for Multivendor Network and Security->Fortinet"}],"ARM Case Number":"TS005786442","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Product Synonym

FortiGate;FortiManager;Fortigate

Document Information

Modified date:
02 June 2021

UID

ibm16457893

Page Feedback