In certain scenarios, there may be requirements to enable FortiManager access through a Loopback interface on FortiGate.
However, this approach can cause connectivity issues between FortiGate and FortiManager, depending on the scenario in which the connection is being attempted.

Scenario 1: A private Loopback IP address, which will require NAT to successfully establish connectivity to FortiManager.

Configuration:

config system central-management
    set type fortimanager
    set serial-number "FMGSN0123456789"
    set fmg "10.5.142.36"
    set fmg-source-ip 10.10.10.10
end

Solution:

FortiGate generates self-initiated traffic to connect to FortiManager, which is routed and sent out through a standard network interface. Source NAT cannot be applied to self-generated traffic, even if a firewall policy is configured, since firewall policies do not apply to self-generated traffic. Connectivity to FortiManager is expected to fail.

Sample logs:

2025-07-28 11:35:29.792512 VLAN2 out 10.10.10.10.2121 -> 10.5.142.36.541: syn 1974846978
2025-07-28 11:35:29.792515 port17 out 10.10.10.10.2121 -> 10.5.142.36.541: syn 1974846978

Scenario 2: A VIP/DNAT rule for port 541 pointing to the Loopback IP is configured on the interface through which FortiManager is reachable.

'fmg-source-ip" is set to 10.10.10.10 under "central-management' configuration.

config firewall vip
    edit "FMGVIP"
        set extip 10.5.128.189
        set mappedip "10.10.10.10"
        set extintf "VLAN2"
        set portforward enable
        set extport 541
        set mappedport 541
      next
end

config firewall policy
    edit 1
        set name "FMGVIP"
        set srcintf "VLAN2"
        set dstintf "Loop"
        set action accept
        set srcaddr "all"
        set dstaddr "FMGVIP"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

Solution:

In this scenario, FortiGate will still attempt to source the traffic using IP 10.10.10.10, and the connection to FortiManager will fail because NAT must be performed on the egress interface.

If the discovery is initiated from FortiManager to FortiGate's VIP, the standard device discovery might fail with the message 'Probe Failed' as long as FortiGate cannot reach FortiManager from the IP address 10.10.10.10.

Using the 'Legacy Device Login' option allows a successful FortiGate import into FortiManager and enables configuration pushes from FortiManager to FortiGate. However, issues may occur if the session is cleared on the FortiGate or if the device is rebooted.
Removing the 'fmg-source-ip' setting and allowing the FortiGate to source traffic from a standard routed interface with reachability to the FortiManager enables successful tunnel establishment and mitigates unexpected behaviors.

Important:

FortiGate must be able to initiate its connection to FortiManager for a successful and stable connection.
If the connection is only one-way from FortiManager to FortiGate, although it may be possible in certain scenarios to import the FortiGate into FortiManager, this can lead to unexpected behavior once the session is terminated.

Related document:

FortiGate/FortiManager Communications Protocol Guide - Topology scenarios