Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Fortimanager exposed to public or tunneling ?

Hi Everyone,

I would be interested to know how you did implement your Fortimanager in your environement. Actually I would mostly be interested to know your thaught about having the FMG publicly visible. I have spin up an instance of fmg in the cloud, but now I am wondering if I should exposed the ports to the world so any of our ~150-200 Fortigate can access the FMG, or I should established a tunnel and have the FMG session pass through the tunnel. I feel that having a tunnel will add a layer of management/complexity? Is the FMG secure enough to have the port exposed? In some case the FMG can contact directly the Fortigate, but in some other case the Fortigate is behind a nat and can't be reach . At minimum would restricting by IP through a security group make sense? What about site that don't have static IP?




Honored Contributor

FMG here resides at HQ and all FGT access it through IPSec S2S Tunnels. It is not exposed to the public here.



"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
New Contributor III

More I think about it, more I also think that it would make more sense to get FGT access the FMG through S2S tunnel. My only concern is that I would have like to avoid the the initial configuration of S2S tunnel on the FGT. I wish we could just send the FGT to a client's location or one of our remote office and they would only require to connect some cables and voila  ;) 

Esteemed Contributor III

inside rfc1918 address, no public access, if you ar remote you sslvpn to our concentrator to gain access. Remember it controls the FGT so it should be limited access, imho.



Ken Felix




PCNSE NSE StrongSwan
Top Kudoed Authors