Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
amrit
Staff & Editor
Staff & Editor

Created on ‎10-13-2024 10:48 PM Edited on ‎04-11-2025 01:36 AM By Community Manager

Article Id 348966

Technical Tip: How to configure FortiGate to Access FortiManager via IPsec tunnel

Description This article provides the FortiGate CLI configuration to connect with FortiManager via an IPsec tunnel.
Scope FortiGate.
Solution

Tunnel interface configuration:

 

FGT(HUB1)# show
    config system interface
        edit "HUB1"
            set vdom "root"
            set ip 10.10.3.1 255.255.255.255
            set allowaccess ping fgfm  <----- FortiManager access should be enabled.
            set type tunnel
            set remote-ip 10.10.3.253 255.255.255.0
            set snmp-index 15
            set interface "port1"
        next
    end

 

FortiGate default central management configuration: 

 

FGT (central-management) # show full
    config system central-management
        set mode normal
        set type fortiguard  <----- Change this value to 'fortimanager' but do not save the change.
        set schedule-config-restore enable
        set schedule-script-restore enable
        set allow-push-configuration enable
        set allow-push-firmware enable
        set allow-remote-firmware-upgrade enable
        set allow-monitor enable
        set local-cert ''
        set vdom "root"
        set fmg-update-port 8890
        set enc-algorithm high
    end

 

FGT (central-management) # set type fortimanager

FGT (central-management) # show full
config system central-management
    set mode normal
    set type fortimanager
    set schedule-config-restore enable
    set schedule-script-restore enable
    set allow-push-configuration enable
    set allow-push-firmware enable
    set allow-remote-firmware-upgrade enable
    set allow-monitor enable
    unset serial-number
    unset fmg
    set fmg-source-ip 0.0.0.0 <----- The fmg -source-ip must be present on FortiGate and allowed within the IPsec.
    set fmg-source-ip6 ::
    set local-cert ''
    unset ca-cert
    set vdom "root"
    set fmg-update-port 8890
    set include-default-servers enable
    set enc-algorithm high
    set interface-select-method auto <----- Change this to 'specify' and it will unlock the interface field.

end

 

config system central-management
    set type fortimanager

    set serial-number XXXXXXXXX <----- Provide FortiManager Serial Number.
    set fmg-source-ip 10.10.3.1
    set interface-select-method specify
    set interface "HUB1"
end

 

To verify the connection status:

 

diagnose fdsm central-mgmt-status
Connection status: Up
Registration status: Registered
Serial: FGVM02TMXXXXXXXX

 

To confirm which source and interface are being used by FortiGate, a packet sniffer can be run on FortiGate.

 

diagnose sniffer packet any "port 541" 4 0 l   <----- port 541 is used for connection to FortiManager.

 

Related articles:

Technical Tip: Routing Challenges When Accessing FortiManager using IPSec Tunnel

Technical Tip: Functionality of 'set interface-select-method' for local-traffic with SD-WAN
Labels:
1014
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.