FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
sjhwang
Staff
Staff
Article Id 197517

Description

 
This article describes how to configure FortiManager to push its NAT address to the managed FortiGates.
 
Context:
The following FortiGate configuration items can be configured manually; however, they are also overwritten by the FortiManager once the initial FGFM connection is established.
 
FGT # config system central-management
  set fmg <address>
  set serial-number <fmg-serial-number>
end
 
Limitation:
When a FortiGate is added to a FortiManager behind a NAT device, the FortiGates' config system central-management -> set fmg <address> value is NOT set automatically. Moreover, FortiManager may overwrite and remove the manually configured address in certain scenarios.
As a result, the FortiGates would be unable to initiate the FGFM tunnel to FortiManager and FortiManager would have to keep the FGFM tunnels up. However, if the  managed FortiGates are also behind NAT and/or with dynamic IP, this would also be impossible.
 
Scope
FortiManager


Solution

 
In the deployment scenario described, the following settings enable FortiManager to push explicitly configured NAT addresses to all managed FortiGates:
 
FMG # config system admin setting 

   set mgmt-addr <IP>                                  <- Single address, IP only.

set mgmt-fqdn "<addr-1>" "<addr-2>" ... "<addr-10>" <- Up to 10 IPs/FQDNs, space separated.

end

 

Here is a simple example:

 

lab-topo1.png

 

FMG # config system admin setting 

set mgmt-addr "1.2.3.4"

end

 

Which on FortiGate side will be pushed like:

 

FGT # config system central-management
set type fortimanager
set fmg "1.2.3.4"
end

 

Another example shows a typical SD-WAN setup, where the managed FortiGate can access a FortiManager HA in four ways, preferring the redundant IPsec tunnels, but also allowing a direct connection via the two underlay DNATs (VIPs) on FortiManager side:

 

lab-topo.png

  

FMG # config system admin setting 

set mgmt-fqdn "10.1.2.3" "10.2.3.4" "fmg01.example.com" "fmg02.example.com"

end

 

This would result the following configuration on the managed FortiGate:

 

FGT # config system central-management
set type fortimanager
set fmg "10.1.2.3" "10.2.3.4" "fmg01.example.com" "fmg02.example.com"
end
 
Note that, despite the different FortiManager setting used ('set mgmt-addr' vs. 'set mgmt-fqdn'), the modified FortiGate setting is the same ('set fmg') in both examples..