The setup is as per below:

FGT1 -------> FGT2 -------> Internet ---> FortiManager.

• In this case, FGT1 will communicate to FortiManager using the Loopback Private IP 172.21.11.10 as the source, but in reality, FortiManager will see the Public IP 10.47.1.72 of FGT2 as the IP address of FGT1.

FortiManager IP: 10.47.1.224.

FGT1 WAN IP: 10.47.1.72.

ON FGT1: Loopback interface IP: 172.21.11.10.

•  Ensure to enable FMG-Access.

• Configure Central-Mgmt on FGT1 as per below to integrate FortiGate with FortiManager:

config system central-management
    set type fortimanager
    set fmg "10.47.1.224"
    set fmg-source-ip 172.21.11.10 <----- Loopback interface IP.
end

On FGT2:

• A Firewall policy is required to allow traffic from FGT1 to the internet to reach FortiManager.

Policy configuration as per below:

Note:

Port5 is where FGT2 will receive traffic from FGT1 Loopback IP.

Port1 is the WAN interface in FGT2.

• FGT2 will be added to FortiManager on this setup using the same WAN IP.

• After this configuration, both FGT1 and FGT2 will be seen to be using the same Public IP from the FortiManager's perspective, and the config will be in sync as well.

On FortiManager, after authorizing:

Notes:

• The one with the name Alza is the FGT2 (upstream FortiGate).
• The one named Juara-23 is the FGT1.
• The highlighted shows the IP: 10.47.1.72 for both the FortiGates, which in this setup is the WAN IP of FGT2.

Related article:

Technical Tip: How a FortiManager can manage a FortiGate via Redundant WAN interfaces