Limitation: If a FortiGate (FGT) is discovered by a FortiManager (FMG) behind a NAT device, then the set fmg IP value is NOT set automatically on FGT. As a result, the FortiGate will not be able to initiate an FGFM tunnel to the FortiManager. FortiManager will have to initiate the connection.
Why is this the default?
To ensure FortiGates don't try to point to the private IP of the FortiManager.
Problem: If FortiGates have dynamic IP addresses on their WAN interfaces, FortiGates need to initiate the connection.
This article explains the command to use on the FortiManager that allows the FortiManager to configure FortiGates to point to the public IP of the FortiManager.
If the NAT device in front of the FortiManager has a static 1:1 NAT rule, you can use the following command to push the public of the FortiManager down to the FortiGates.
config system admin setting
set mgmt-addr "x.x.x.x"
** Detail **
This FMG command is used when FMG is behind NAT device and FGT access FMG via FMG VIP. Let me explain based on topology.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.