Technical Tip: How to configure FortiGate to access FortiManager via IPsec tunnel

Tunnel interface configuration:

FGT(HUB1)# show
    config system interface
        edit "HUB1"
            set vdom "root"
            set ip 10.10.3.1 255.255.255.255
            set allowaccess ping fgfm  <----- FortiManager access should be enabled.
            set type tunnel
            set remote-ip 10.10.3.253 255.255.255.0
            set snmp-index 15
            set interface "port1"
        next
    end

FortiGate default central management configuration: 

FGT (central-management) # show full
    config system central-management
        set mode normal
        set type fortiguard  <----- Change this value to 'fortimanager', but do not save the change.
        set schedule-config-restore enable
        set schedule-script-restore enable
        set allow-push-configuration enable
        set allow-push-firmware enable
        set allow-remote-firmware-upgrade enable
        set allow-monitor enable
        set local-cert ''
        set vdom "root"
        set fmg-update-port 8890
        set enc-algorithm high
    end

FGT (central-management) # set type fortimanager

FGT (central-management) # show full
config system central-management
    set mode normal
    set type fortimanager
    set schedule-config-restore enable
    set schedule-script-restore enable
    set allow-push-configuration enable
    set allow-push-firmware enable
    set allow-remote-firmware-upgrade enable
    set allow-monitor enable
    unset serial-number
    unset fmg
    set fmg-source-ip 0.0.0.0 <----- The fmg -source-ip must be present on FortiGate and allowed within the IPsec.
    set fmg-source-ip6 ::
    set local-cert ''
    unset ca-cert
    set vdom "root"
    set fmg-update-port 8890
    set include-default-servers enable
    set enc-algorithm high
    set interface-select-method auto <----- Change this to 'specify', and it will unlock the interface field.

end

config system central-management
    set type fortimanager

    set serial-number XXXXXXXXX <----- Provide FortiManager Serial Number.
    set fmg-source-ip 10.10.3.1
    set interface-select-method specify
    set interface "HUB1"
end

To verify the connection status:

diagnose fdsm central-mgmt-status
Connection status: Up
Registration status: Registered
Serial: FGVM02TMXXXXXXXX

To confirm which source and interface are being used by FortiGate, a packet sniffer can be run on FortiGate.

diagnose sniffer packet any "port 541" 4 0 l   <----- port 541 is used for connection to FortiManager.

Troubleshooting

Assume the flow of traffic as follows: 

 FortiGate Spoke - IPSec tunnel - (External vdom) FortiGate Hub (Root vdom) - FortiManager.

• Perform sniffer as above on Spoke, Hub, and FortiManager to verify if the traffic sent and reply from FortiManager is seen on all 3 hops. If the reply is seen on FortiManager, but not on Hub, consider enabling NAT on the policy of the IPsec tunnel to VDOM link, on the External vdom firewall policy. This helps if the FortiManager is unable to route back reply traffic to the Hub.
• Ensure that the policy on External VDOM and Root VDOM allows service UDP 541 (used for FortiManager connectivity) is allowed.
• Further debug on Spoke: diagnose debug app fgfmd -1.
• To restart the fgfmd process on FortiGate: fnsysctl killall fgfmd.

Related articles:

Technical Tip: Routing Challenges When Accessing FortiManager using IPSec Tunnel