FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
psalian
Staff
Staff

Description

 

This article describes how to change the FortiGate configuration to point to a new IP address for reaching FortiManager.

This could be useful either when
  • migrating over to a FortiManager running on a new model/platform.
  • during an HA fail-over of a FortiManager where the new primary FortiManager has a new public-facing IP. (for example, geographic redundancy)
Other Considerations:
  • The new FortiManager can initiate the connection to the FortiGate provided the FortiGates are not behind another NAT devices and have FGFM enabled on the interface facing FortiManager.
  • It is possible (via the FortiGate CLI only) to preconfigure the FortiGate with BOTH the existing IP address and the new IP address to prepare for the migration/fail-over of the FortiManager (see Alternate Method below).


Solution

 

Basic Method (Single IP):
To be performed after the migration/fail-over of the FortiManager has occurred.
 
Use the CLI command 'set fmg' to change the IP address for the FortiManager:
# config system central-management
    set fmg <IP2>
  end
Where IP2 = the new public-facing IP address of the FortiManager

Once the change has been made, make sure the FortiManager is reachable to the FortiGate on the new IP.  On auto-update, the IP address would change on the FortiManager for that specific FortiGate.
 
Alternate Method (Multiple IPs):
To be performed prior to migration or failover of the FortiManager.

Use the CLI command 'set fmg' to change the IP address for the FortiManager:
 
# config system central-management
    set fmg <IP1 IP2>
  end
 
For example, multiple FortiManagers could be configured as follows:
set fmg 1.1.1.1 2.2.2.2
 
Resulting entries in FortiGate configuration are enclosed in quotes:
set fmg "1.1.1.1" 2.2.2.2"
Where
IP1 = the existing public-facing IP address of the FortiManager (prior to migration/fail-over)
IP2 = the new public-facing IP address of the FortiManager (after migration/fail-over)

If the FortiGate is unable to reestablish connectivity to IP1, the FortiGate will attempt to reach FortiManager using IP2.