Configuring the management address
Configure the management address setting on a FortiManager that is behind a NAT device so the FortiGate can initiate a connection to the FortiManager. By configuring the management address setting in the CLI, FortiManager knows the public IP and can configure it on the FortiGate.
When a FortiGate is discovered by a FortiManager that is behind a NAT device, the FortiManager does not automatically set the IP Address on the FortiGate. This prevents the FortiGate from pointing to the FortiManager's private IP address and initiating the FortiGate-FortiManager (FGFM) tunnel to the FortiManager.
You can use the CLI to configure the management address when the NAT device in front of the FortiManager has a static 1:1 NAT rule.
To configure the management address:
In the FortiManager CLI, enter the following command to define either the management IP address or FQDN.
config systems admin setting
set mgmt-addr <string>
set mgmt-fqdn <string>
Configuring multiple management addresses for FortiManager HA
Multiple IP addresses or FQDNs can be configured for FortiManager HA. When listing multiple management addresses, the first address defines the Primary device and the second address is the Secondary device in the FortiManager HA. The FortiGate will attempt to establish the FGFM tunnel using the Primary device first, and if it is unreachable will use the Secondary device. Only one address is ever used to establish the FGFM tunnel at a time.
To configure multiple management addresses:
- In the FortiManager CLI, enter the following commands.
config system admin setting
set mgmt-fqdn <FQDN/IP 1> <FQDN/IP 2>
The
set mgmt-fqdn
command can be used with FQDNs and IP addresses. - FortiManager automatically pushes the configuration to FortiGate, and on the FortiGate you can see both management addresses listed:
config system central-management
set type fortimanager
set fmg <FQDN/IP 1> <FQDN/IP 2>
end
Alternatively, you can configure these settings directly on FortiGate devices.