Technical Tip: Adding multiple FortiGate devices located behind NAT/PAT to FortiManager

Description

This article describes the functionality and configuration of FortiManager and FortiGate in the situation when multiple FortiGate devices need onboarding to FortiManager, and they are all located in one place behind one ISP device that translates all outbound connections as "many to one" with PAT. This scenario is very common for MSPs, and it confirms the possibility and practicability, especially for cases when FortiManager is deployed in the cloud.

Scope

Multiple FortiGates and one FortiManager.

Solution

The sample topology below shows two FortiGates deployed behind an ISP router on a 192.168.3.0/24 subnet.

FortiManager is on a different subnet (192.168.2.0/24), and it simulates its deployment in the cloud.

Both FortiGates were configured for Central management via CLI, specifying their IP addresses and serial numbers.

Firewall 1:

Firewall 2:

Once FortiManager has authorized both firewalls, they are shown in the device list as sourced from the same IP address 192.168.2.155, but with different names:

To confirm that both firewalls can be managed from within FortiManager, here are CLI connections to them via the tunnel between FortiManager and FortiGate:

It is connected to Firewall 1 via the tunnel IP address. The screenshot shows the device hostname and LAN IP address:

It is connected to Firewall 2 via the tunnel IP address; the screenshot shows the device hostname and LAN IP address.

Note:

If the FGFM tunnel is torn down, only the FortiGate attempts to reestablish it. FortiManager treats a NATed FortiGate as an unreachable device and does not attempt to re-establish the FGFM tunnel on its own.