I would be interested to know how you did implement your Fortimanager in your environement. Actually I would mostly be interested to know your thaught about having the FMG publicly visible. I have spin up an instance of fmg in the cloud, but now I am wondering if I should exposed the ports to the world so any of our ~150-200 Fortigate can access the FMG, or I should established a tunnel and have the FMG session pass through the tunnel. I feel that having a tunnel will add a layer of management/complexity?
Is the FMG secure enough to have the port exposed? In some case the FMG can contact directly the Fortigate, but in some other case the Fortigate is behind a nat and can't be reach . At minimum would restricting by IP through a security group make sense? What about site that don't have static IP?
More I think about it, more I also think that it would make more sense to get FGT access the FMG through S2S tunnel. My only concern is that I would have like to avoid the the initial configuration of S2S tunnel on the FGT. I wish we could just send the FGT to a client's location or one of our remote office and they would only require to connect some cables and voila ;)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.