Fortinet black logo

Administration Guide

Configuring the management address

Configuring the management address

Configure the management address setting on a FortiManager that is behind a NAT device so the FortiGate can initiate a connection to the FortiManager. By configuring the management address setting in the CLI, FortiManager knows the public IP and can configure it on the FortiGate.

When a FortiGate is discovered by a FortiManager that is behind a NAT device, the FortiManager does not automatically set the IP Address on the FortiGate. This prevents the FortiGate from pointing to the FortiManager's private IP address and initiating the FortiGate-FortiManager (FGFM) tunnel to the FortiManager.

You can use the CLI to configure the management address when the NAT device in front of the FortiManager has a static 1:1 NAT rule.

To configure the management address:

In the FortiManager CLI, enter the following command to define either the management IP address or FQDN.

config systems admin setting

set mgmt-addr <FMG_VIP>

set mgmt-fqdn <FMG_FQDN>

Configuring multiple management addresses for FortiManager HA

Multiple IP addresses or FQDNs can be configured for FortiManager HA. When listing multiple management addresses, the first address defines the Primary device and the second address is the Secondary device in the FortiManager HA. The FortiGate will attempt to establish the FGFM tunnel using the Primary device first, and if it is unreachable will use the Secondary device. Only one address is ever used to establish the FGFM tunnel at a time.

In the example below, 10.0.0.1 is the Primary device and 10.0.0.2 is the Secondary.

To configure multiple management addresses:
  1. In the FortiManager CLI, enter the following commands.

    config system admin setting

    set mgmt-fqdn 10.0.0.1 10.0.0.2

  2. FortiManager automatically pushes the configuration to FortiGate, and on the FortiGate you can see both management addresses listed:

    config system central-management

    set type fortimanager

    set fmg "10.0.0.1" "10.0.0.2"

    end

    Alternatively, you can configure these settings directly on FortiGate devices.

Configuring the management address

Configure the management address setting on a FortiManager that is behind a NAT device so the FortiGate can initiate a connection to the FortiManager. By configuring the management address setting in the CLI, FortiManager knows the public IP and can configure it on the FortiGate.

When a FortiGate is discovered by a FortiManager that is behind a NAT device, the FortiManager does not automatically set the IP Address on the FortiGate. This prevents the FortiGate from pointing to the FortiManager's private IP address and initiating the FortiGate-FortiManager (FGFM) tunnel to the FortiManager.

You can use the CLI to configure the management address when the NAT device in front of the FortiManager has a static 1:1 NAT rule.

To configure the management address:

In the FortiManager CLI, enter the following command to define either the management IP address or FQDN.

config systems admin setting

set mgmt-addr <FMG_VIP>

set mgmt-fqdn <FMG_FQDN>

Configuring multiple management addresses for FortiManager HA

Multiple IP addresses or FQDNs can be configured for FortiManager HA. When listing multiple management addresses, the first address defines the Primary device and the second address is the Secondary device in the FortiManager HA. The FortiGate will attempt to establish the FGFM tunnel using the Primary device first, and if it is unreachable will use the Secondary device. Only one address is ever used to establish the FGFM tunnel at a time.

In the example below, 10.0.0.1 is the Primary device and 10.0.0.2 is the Secondary.

To configure multiple management addresses:
  1. In the FortiManager CLI, enter the following commands.

    config system admin setting

    set mgmt-fqdn 10.0.0.1 10.0.0.2

  2. FortiManager automatically pushes the configuration to FortiGate, and on the FortiGate you can see both management addresses listed:

    config system central-management

    set type fortimanager

    set fmg "10.0.0.1" "10.0.0.2"

    end

    Alternatively, you can configure these settings directly on FortiGate devices.