FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
sjhwang
Staff
Staff
Article Id 197517

Description

 
This article describes how to configure FortiManager when behind a NAT device.
 
Limitation:
If a FortiGate (FGT) is discovered by a FortiManager (FMG) behind a NAT device, then the set fmg IP value is NOT set automatically on FGT.  As a result, the FortiGate will not be able to initiate an FGFM tunnel to the FortiManager. FortiManager will have to initiate the connection.
 
Why is this the default?
To ensure FortiGates do not try to point to the private IP of the FortiManager.
 
Problem:
If FortiGates have dynamic IP addresses on their WAN interfaces, FortiGates needs to initiate the connection.
 
 
This article explains the command to use on the FortiManager that allows the FortiManager to configure FortiGates to point to the public IP of the FortiManager.
 
Scope
 
FortiManager.


Solution

 
If the NAT device in front of the FortiManager has a static 1:1 NAT rule, it is possible to use the following command to push the public of the FortiManager down to the FortiGates.
 
config system admin setting 

    set mgmt-addr "x.x.x.x"

** Detail **


This FMG command is used when FMG is behind a NAT device and FGT accesses FMG via FMG VIP.
Explanation based on topology:
 
  1. Topology.

    FMG.13--10.130.209.0/24--.152 Port15-FGT200B-Port16 .254--10.10.10.0/24--.253-FGT60C

    FMG_VIP -> 10.10.10.102

    Device discovered by NATed FMG. FMG IP is not configured on FGT’s central-management configuration, by default.

    If with FMG GUI, it is typed 10.10.10.253 on the add device section, FGT60C can be registered on FMG. 

 

JeanPhilippe_P_0-1706610956551.png

 

 

After completing FGT60C registration on FMG, nothing is displayed under the system central-management of FGT.
 
FGT60C # show system central-management
--Nothing is displayed--
 
There are two ways how FMG VIP address can be added under the system central-management of FGT.

[1] It can be manually configured on FGT, after completing FGT60C registration on FMG:
 
FGT config
    config system central-management
        set fmg <FMG_VIP> 
 
In the above topology, FMG_VIP is 10.10.10.102. 
 
[2] It can be configured on FMG so that this will be set on the FGT during the discovery process automatically:
 
FMG config
    config systems admin setting
        set mgmt-addr <FMG_VIP> 

In the above topology, FMG_VIP is 10.10.10.102.