The core purpose of the FMG-Access toggle is to determine if the FortiGate will accept incoming connection attempts from FortiManager for discovery and for FGFM management tunnel establishment for destination port TCP/541: FGFM - FortiGate to FortiManager Protocol. Note that this is not the same thing as the FortiGate making outbound connections to FortiManager after it is configured for central-management, which means that it is not necessary to leave FMG-Access enabled if the FortiGate can successfully initiate outgoing connections to FortiManager.

For example, when connecting a FortiGate to FortiManager for the first time, there are generally two options to accomplish this:

1. On the FortiGate (Global VDOM, for VDOM-enabled units), go to Security Fabric -> Fabric Connectors and configure the Central Management connector for FortiManager (or in the CLI, configure the same under config system central-management). The FortiGate will then initiate an outgoing connection to FortiManager that the administrator will then need to authorize on FortiManager's root ADOM.
   Manual authorization may be skipped if the FortiGate is added as a Model Device on FortiManager ahead of time.
   
   
2. On FortiManager, use the Add Device -> Discover Device wizard under Device Manager -> Device & Groups to discover the FortiGate over the network. FortiManager will then initiate a connection to the FortiGate at the specified address, and it will require the FortiGate to have FMG-Access enabled to accept this initial connection.

Once the initial management settings and FGFM tunnel are established, the FortiGate will know the FortiManager's network address and will re-initiate tunnel establishment whenever it goes down.

What does the FMG-Access setting actually do/allow?

When this option is enabled, the FortiGate will add an implicit Local-In Policy that allows TCP/541 traffic inbound on the associated network interface. This can be seen in the GUI for FortiOS v7.6+ (Policy & Objects -> Local-In Policy), and it can also be seen in the CLI for all FortiOS versions with the command diagnose firewall iprope list 10000e.

FortiGate # diagnose firewall iprope list 10000e

[...]

policy index=4294967295 uuid_idx=10 action=accept
flag (0):
schedule()
cos_fwd=0 cos_rev=0
group=0010000e av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 5 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
dest(1): 10.15.64.105-10.15.64.105, uuid_idx=0,
service(1):
        [6:0x0:0/(0,65535)->(541,541)] flags:0 helper:auto

[...]

When should FMG-Access be enabled/disabled?

This setting can be enabled in situations where the FortiGate is unable to initiate a connection to FortiManager itself and is reliant on FortiManager initiating the management tunnel connection, but otherwise it should be disabled if not required as a means of reducing potential attack surface. Additionally, the setting should only be enabled on FortiGate interfaces that FortiManager is actually expected to form connections to.

Consider the following examples where one might enable FMG-Access on a FortiGate interface:

• FortiManager is located behind a router/firewall that does not allow inbound connections (e.g., no Virtual IPs/DNAT or inbound Firewall Policies), so the FortiGate would not be able to initiate connectivity to the FortiManager on its own.
  A similar situation can occur when the FortiGate is using the wrong outgoing Source IP address to try to communicate with FortiManager (for example, using an IPsec tunnel without an assigned tunnel-IP, or if a loopback address must be used as the FortiGate address).
  
  
• The FortiGate is being freshly deployed and does not yet have central-management enabled, but it is generally reachable over the network (either via local private IP address or via public WAN IP). Enabling FMG-Access would allow FortiManager to initiate a connection as part of initial device discovery/setup.

Note that in most scenarios, alternative options exist that allow the FortiGate to initiate the FGFM tunnel connection to FortiManager. For example:

• Consider adding firewall rules/mappings on any intermediate firewalls so that the FortiGate can initiate connections to FortiManager.
• For fresh deployments, consider either pre-configuring the FortiGate with FortiManager-based central-management, or utilizing services such as FortiGate Cloud provisioning or FortiZTP to auto-provision FortiGates with central-management from FortiManager, FortiManager Cloud, or FortiGate Cloud.
• For situations where the FortiGate is using the wrong Source IP for local-out connections to FortiManager, it is possible to manually specify the outgoing interface/source-ip that should be used, rather than letting the FortiGate choose based on the outgoing interface. See also this article: Technical Tip: How to control/change the FortiGate source IP for self-originating traffic : SNMP, Sy....

Where is FMG-Access enabled/disabled?

For reference, the FMG-Access option can be found in the Administrative Access section for each FortiGate's interface configuration. It can also be set in the CLI via set allowaccess fgfm:

config system interface

    edit <interface_name>

        set allowaccess fgfm

    next

end

Related documents:

Interface settings

Technical Tip: FMG-Access is disabled on interfaces