Description
This article describes how to configure FortiManager to push its NAT address to the managed FortiGates.
Context:
The following FortiGate configuration items can be configured manually; however, they are also overwritten by the FortiManager once the initial FGFM connection is established.
FGT # config system central-management
set fmg <address>
set serial-number <fmg-serial-number>
end
Limitation:
When a FortiGate is added to a FortiManager behind a NAT device, the FortiGates' config system central-management -> set fmg <address> value is NOT set automatically. Moreover, FortiManager may overwrite and remove the manually configured address in certain scenarios.
As a result, the FortiGates would be unable to initiate the FGFM tunnel to FortiManager and FortiManager would have to keep the FGFM tunnels up. However, if the managed FortiGates are also behind NAT and/or with dynamic IP, this would also be impossible.
Scope
FortiManager
Solution
In the deployment scenario described, the following settings enable FortiManager to push explicitly configured NAT addresses to all managed FortiGates:
FMG # config system admin setting
set mgmt-addr <IP> <- Single address, IP only.
set mgmt-fqdn "<addr-1>" "<addr-2>" ... "<addr-10>" <- Up to 10 IPs/FQDNs, space separated.
end
Here is a simple example:
![lab-topo1.png lab-topo1.png](/t5/image/serverpage/image-id/62515i7A608BF329EEAC42/image-dimensions/696x85/is-moderation-mode/true?v=v2)
FMG # config system admin setting
set mgmt-addr "1.2.3.4"
end
Which on FortiGate side will be pushed like:
FGT # config system central-management
set type fortimanager
set fmg "1.2.3.4"
end
Another example shows a typical SD-WAN setup, where the managed FortiGate can access a FortiManager HA in four ways, preferring the redundant IPsec tunnels, but also allowing a direct connection via the two underlay DNATs (VIPs) on FortiManager side:
![lab-topo.png lab-topo.png](/t5/image/serverpage/image-id/62513i3CCC791BE38BEE96/image-dimensions/697x90/is-moderation-mode/true?v=v2)
FMG # config system admin setting
set mgmt-fqdn "10.1.2.3" "10.2.3.4" "fmg01.example.com" "fmg02.example.com"
end
This would result the following configuration on the managed FortiGate:
FGT # config system central-management
set type fortimanager
set fmg "10.1.2.3" "10.2.3.4" "fmg01.example.com" "fmg02.example.com"
end
Note that, despite the different FortiManager setting used ('set mgmt-addr' vs. 'set mgmt-fqdn'), the modified FortiGate setting is the same ('set fmg') in both examples..