Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
amrit
Staff
Staff

Created on ‎10-13-2024 10:48 PM Edited on ‎10-13-2024 10:48 PM By Community Manager

Article Id 348966

Technical Tip: How to configure FortiGate to Access FortiManager via IPsec tunnel

Description This article provides the FortiGate CLI configuration to connect with FortiManager via an IPsec tunnel.
Scope FortiGate.
Solution

Tunnel interface configuration:

 

FGT(HUB1)# show
    config system interface
        edit "HUB1"
            set vdom "root"
            set ip 10.10.3.1 255.255.255.255
            set allowaccess ping fgfm  <----- FortiManager access should be enabled.
            set type tunnel
            set remote-ip 10.10.3.253 255.255.255.0
            set snmp-index 15
            set interface "port1"
        next
    end

 

FortiGate default central management configuration: 

 

FGT (central-management) # show full
    config system central-management
        set mode normal
        set type fortiguard  <----- Change this value to 'fortimanager' but do not save the change.
        set schedule-config-restore enable
        set schedule-script-restore enable
        set allow-push-configuration enable
        set allow-push-firmware enable
        set allow-remote-firmware-upgrade enable
        set allow-monitor enable
        set local-cert ''
        set vdom "root"
        set fmg-update-port 8890
        set enc-algorithm high
    end

 

FGT (central-management) # set type fortimanager

FGT (central-management) # show full
config system central-management
    set mode normal
    set type fortimanager
    set schedule-config-restore enable
    set schedule-script-restore enable
    set allow-push-configuration enable
    set allow-push-firmware enable
    set allow-remote-firmware-upgrade enable
    set allow-monitor enable
    unset serial-number
    unset fmg
    set fmg-source-ip 0.0.0.0 <----- The fmg -source-ip must be present on FortiGate and allowed within the IPsec
    set fmg-source-ip6 ::
    set local-cert ''
    unset ca-cert
    set vdom "root"
    set fmg-update-port 8890
    set include-default-servers enable
    set enc-algorithm high
    set interface-select-method auto <----- Change this to 'specify' and it will unlock the interface field.

end

 

config system central-management
    set type fortimanager

    set serial-number XXXXXXXXX <----- Provide FortiManager Serial Number.
    set fmg-source-ip 10.10.3.1
    set interface-select-method specify
    set interface "HUB1"
end

 

To verify the connection status:

 

diagnose fdsm central-mgmt-status
Connection status: Up
Registration status: Registered
Serial: FGVM02TMXXXXXXXX

 

Related articles:

Technical Tip: Routing Challenges When Accessing FortiManager using IPSec Tunnel

Technical Tip: Functionality of 'set interface-select-method' for local-traffic with SD-WAN
Labels:
98
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.