Hi everyone,

A customer has two FortiGates in Azure, configured in an active-passive HA cluster with internal and external load balancers. As per template, both firewalls have a different IP on the WAN interface, being NATed by the ELB.

This HA cluster should be managed by FortiManager, deployed as a VM on premises and behind NAT, so reachable directly by public IP.

I configured the central-management settings as on all the other firewalls, but this weird thing happens: only one of the two is able to be correctly managed by FMG (when it becomes active, of course). While the other one is active, if I run a sniffer on FMG I see packets from/to the host, but it seems that the firewall is not able to contact FortiManager. If I run a "execute telnet x.x.x.x 541" I can connect, showing that there is reachability. Also, both firewalls are being NATed by the same public IP.

Did anybody have this kind of topology and already had to deal with this problem? Is there any KB I should refer to to troubleshoot this?

Thanks in advance.