FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
sjhwang
Staff
Staff
Description
Limitation:
If a FortiGate (FGT) is discovered by a FortiManager (FMG) behind a NAT device, then the set fmg IP value is NOT set automatically on FGT.  As a result, the FortiGate will not be able to initiate an FGFM tunnel to the FortiManager.  FortiManager will have to initiate the connection.

Why is this the default?
To ensure FortiGates don't try to point to the private IP of the FortiManager.

Problem:
If FortiGates have dynamic IP addresses on their WAN interfaces, FortiGates need to initiate the connection.

Solution:
This article explains the command to use on the FortiManager that allows the FortiManager to configure FortiGates to point to the public IP of the FortiManager.

Solution
If the NAT device in front of the FortiManager has a static 1:1 NAT rule, you can use the following command to push the public of the FortiManager down to the FortiGates.

config system admin setting 
 set mgmt-addr "x.x.x.x"

** Detail **

This FMG command is used when FMG is behind NAT device and FGT access FMG via FMG VIP.
Let me explain based on topology.

1.Topology
FMG.13--10.130.209.0/24--.152 Port15-FGT200B-Port16 .254--10.10.10.0/24--.253-FGT60C

FMG_VIP -> 10.10.10.102

Device discovered by NATed FMG. FMG IP is not configured on FGT’s central-management configuration, by default.


If With FMG GUI, we type 10.10.10.253 on add device section, FGT60C can be registered on FMG. 


After completing FGT60C registeration on FMG, nothing is displayed under system central-management of FGT.

FGT60C # show system central-management
--Nothing is displayed--

There are two way how FMG VIP address can be added under system central-management of FGT.

[1] It can be manually configured on FGT, after completing FGT60C registeration on FMG,

#FGT config
config system central-management
set fmg <FMG_VIP> 
-> In above topology, FMG_VIP is 10.10.10.102. 

[2]It can be configured on FMG so that this will be set on the FGT during discovery process automatically:

#FMG config
config systems admin setting
set mgmt-addr <FMG_VIP> 
-> (In above topology, FMG_VIP is 10.10.10.102

Contributors