Hi,
We have a number of Fortigate firewalls which have multiple public WAN interfaces for primary and secondary circuit. The Fortigate also have VPN tunnels to sites which have the FortiManager installed.
We want to ensure the FortiManager monitors the firewall on all interfaces (WAN1, WAN2 and the internal IP interface).
If I add the device via the WAN1 interface, should WAN1 interface go down would the FortiManager establish connection from WAN2? (Does adding a single interface IP, automatically add all other Fortigate interface IP address?)
Another question would be if we add the device via the internal interface IP, I assume the device would communicate via WAN1 and WAN2?
Thanks
Sam
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can set the source IP to use to connect to FortiManager, on each FortiGate:
config system central-management set fmg-source ip [ IP ] end
You would want to update the device in FortiManager to use that same IP as well.
Which interface it uses for outbound connectivity to FMG depends on routing. I would use a loopback IP as the source, so that way traffic will fail-over to the secondary VPN if necessary.
We want to ensure the FortiManager monitors the firewall on all interfaces (WAN1, WAN2 and the internal IP interface).
Not really possible. FMG is not a monitoring platform. You can use FortiAnalyzer to trigger alerts if an interface goes down.
Another question would be if we add the device via the internal interface IP, I assume the device would communicate via WAN1 and WAN2?
If you don't manually specify what source IP to use to talk back to FMG, then it all comes down to routing and egress interface selected. Ie, if you point a FGT to a public IP for FMG, and it ends up using the default route out of WAN1, FMG will see the FGT coming from the IP address assigned to WAN1.
For what it's worth, for internal environments where you have redundant connections, the best thing to do IMHO is use a loopback interface on each FGT for connectivity to FMG, FAZ, and as the primary management interface. That way you can shut down administrative services on the external interfaces, and the management IP is predictable even during a fail-over situation. You can still leave HTTPS/SSH enabled on a trusted internal port in case all VPN connectivity goes down - and bring up a webex with on-site staff to get in to fix stuff.
I would also like some clarification around this particularly where vdoms are used.
Can I add a FGT to FMG via an interface that is not in root or global? If the Interface is in global and not assigned to any vdom can we use that interface to add to FMG?
Can I add a FGT to FMG via an interface that is not in root or global? If the Interface is in global and not assigned to any vdom can we use that interface to add to FMG?
A interface is never in a global-vdom, a global vdom does NOT exist. What happens is you typically use the "management" vdom for this and this is typicall by default "vdom root"
You can change the management vdom and central management via global sys and central managment
e.g
config global
confg sys global
set management-vdom <youvdomname>
end
config system central-management
set type fortimanager
set vdom <youvdomnamehere>
end
end
PCNSE
NSE
StrongSwan
ergotherego wrote:You can set the source IP to use to connect to FortiManager, on each FortiGate:
config system central-management set fmg-source ip [ IP ] end
You would want to update the device in FortiManager to use that same IP as well.
Which interface it uses for outbound connectivity to FMG depends on routing. I would use a loopback IP as the source, so that way traffic will fail-over to the secondary VPN if necessary.
We want to ensure the FortiManager monitors the firewall on all interfaces (WAN1, WAN2 and the internal IP interface).
Not really possible. FMG is not a monitoring platform. You can use FortiAnalyzer to trigger alerts if an interface goes down.
Another question would be if we add the device via the internal interface IP, I assume the device would communicate via WAN1 and WAN2?
If you don't manually specify what source IP to use to talk back to FMG, then it all comes down to routing and egress interface selected. Ie, if you point a FGT to a public IP for FMG, and it ends up using the default route out of WAN1, FMG will see the FGT coming from the IP address assigned to WAN1.
For what it's worth, for internal environments where you have redundant connections, the best thing to do IMHO is use a loopback interface on each FGT for connectivity to FMG, FAZ, and as the primary management interface. That way you can shut down administrative services on the external interfaces, and the management IP is predictable even during a fail-over situation. You can still leave HTTPS/SSH enabled on a trusted internal port in case all VPN connectivity goes down - and bring up a webex with on-site staff to get in to fix stuff.
I assume if we use a loopback IP address as source and the IP which we connect to via FortiManager (but use the internal IP instead) then, if the FortiGate fails over to WAN2 interface, the FortiGate will try and report back into the FortiManager, at this point the FortiGate and FortiManager will establish the connection?
Do we know if we are able to add multiple IP address to FortiManager for each FortiGate, this way it can connect to the device should one of the WAN IP goes down?
Should we considering making the FortiManager (FGM-Access) ports publical avaiable and if we do is the traffic encrypted?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.