When VPN tunnels are created by the VPN manager for some reason, FortiGate is removed from FortiManager. This will put the device out of sync with FortiManager. Upon adding the device back, VPN tunnels will be removed on the next policy package install.

To avoid the removal of tunnels, follow these steps: 

1. Confirm the tunnel number of the device being added back. It can be confirmed from a managed Hub device when using the 'Hub & Spoke' topology or any managed device when using the 'Site-to-Site'(mesh) topology.

Note:

The tunnel names installed on the FortiGate device by VPN Manager have a Hexadecimal sequence, and the ID of the vpnmgr nodes in the FortiManager database is in Decimal format. Therefore, the 10^th vpnmgr node has its tunnel named as 'a', and the 16^th node as '10'. 

2. Check the VPN manager node in the Policy DB using the command in FortiManager CLI:

execute fmpolicy print-adom-object 3 1005 all

Example of CLI output showing the vpnmgr node for 'VPN-Mesh_a' tunnel:

3. Once the id missing from the 'vpnmgr node' table, create a script by copying the syntax of one of the vpnmgr nodes in the same community (make sure to use the syntax of the correct community, if there is more than 1).
4. Create a CLI script to run on 'Policy Package or ADOM Database', for example, the device had ID 4 when the tunnel was created:

config vpnmgr node

    edit "4"
        set vpntable "VPN"
        set role spoke
        set iface "wan1"
        set automatic_routing enable
        set net-device disable
        set network-id 0
            config protected_subnet
                edit 1
                    set addr "FABRIC_DEVICE"

                next
            end
        set _scope "FortiGate-200E"-"root"
    next

5. Run the script, and it will add the vpnmgr node back, and further installation to the device will not remove the tunnel.

Related article:

Technical Tip: Deploying VPN configuration via FortiManager VPN Manager