Which interface does Fortigate use to maintain connection to FortiManager

Sam_S1 · ‎08-22-2017

Hi,

We have a number of Fortigate firewalls which have multiple public WAN interfaces for primary and secondary circuit. The Fortigate also have VPN tunnels to sites which have the FortiManager installed.

We want to ensure the FortiManager monitors the firewall on all interfaces (WAN1, WAN2 and the internal IP interface).

If I add the device via the WAN1 interface, should WAN1 interface go down would the FortiManager establish connection from WAN2? (Does adding a single interface IP, automatically add all other Fortigate interface IP address?)

Another question would be if we add the device via the internal interface IP, I assume the device would communicate via WAN1 and WAN2?

Thanks

Sam

ergotherego · ‎08-22-2017

You can set the source IP to use to connect to FortiManager, on each FortiGate:

config system central-management set fmg-source ip [ IP ] end

You would want to update the device in FortiManager to use that same IP as well.

Which interface it uses for outbound connectivity to FMG depends on routing. I would use a loopback IP as the source, so that way traffic will fail-over to the secondary VPN if necessary.

We want to ensure the FortiManager monitors the firewall on all interfaces (WAN1, WAN2 and the internal IP interface).

Not really possible. FMG is not a monitoring platform. You can use FortiAnalyzer to trigger alerts if an interface goes down.

Another question would be if we add the device via the internal interface IP, I assume the device would communicate via WAN1 and WAN2?

If you don't manually specify what source IP to use to talk back to FMG, then it all comes down to routing and egress interface selected. Ie, if you point a FGT to a public IP for FMG, and it ends up using the default route out of WAN1, FMG will see the FGT coming from the IP address assigned to WAN1.

For what it's worth, for internal environments where you have redundant connections, the best thing to do IMHO is use a loopback interface on each FGT for connectivity to FMG, FAZ, and as the primary management interface. That way you can shut down administrative services on the external interfaces, and the management IP is predictable even during a fail-over situation. You can still leave HTTPS/SSH enabled on a trusted internal port in case all VPN connectivity goes down - and bring up a webex with on-site staff to get in to fix stuff.

flamer · ‎08-22-2017

I would also like some clarification around this particularly where vdoms are used.

Can I add a FGT to FMG via an interface that is not in root or global? If the Interface is in global and not assigned to any vdom can we use that interface to add to FMG?

emnoc · ‎08-22-2017

Can I add a FGT to FMG via an interface that is not in root or global? If the Interface is in global and not assigned to any vdom can we use that interface to add to FMG?

A interface is never in a global-vdom, a global vdom does NOT exist. What happens is you typically use the "management" vdom for this and this is typicall by default "vdom root"

You can change the management vdom and central management via global sys and central managment

e.g

config global

confg sys global

set management-vdom <youvdomname>

end

config system central-management

set type fortimanager

set vdom <youvdomnamehere>

end

PCNSE

NSE

StrongSwan

Sam_S1 · ‎08-23-2017

ergotherego wrote:
You can set the source IP to use to connect to FortiManager, on each FortiGate:

config system central-management set fmg-source ip [ IP ] end

You would want to update the device in FortiManager to use that same IP as well.

Which interface it uses for outbound connectivity to FMG depends on routing. I would use a loopback IP as the source, so that way traffic will fail-over to the secondary VPN if necessary.

We want to ensure the FortiManager monitors the firewall on all interfaces (WAN1, WAN2 and the internal IP interface).

Not really possible. FMG is not a monitoring platform. You can use FortiAnalyzer to trigger alerts if an interface goes down.

Another question would be if we add the device via the internal interface IP, I assume the device would communicate via WAN1 and WAN2?

If you don't manually specify what source IP to use to talk back to FMG, then it all comes down to routing and egress interface selected. Ie, if you point a FGT to a public IP for FMG, and it ends up using the default route out of WAN1, FMG will see the FGT coming from the IP address assigned to WAN1.

For what it's worth, for internal environments where you have redundant connections, the best thing to do IMHO is use a loopback interface on each FGT for connectivity to FMG, FAZ, and as the primary management interface. That way you can shut down administrative services on the external interfaces, and the management IP is predictable even during a fail-over situation. You can still leave HTTPS/SSH enabled on a trusted internal port in case all VPN connectivity goes down - and bring up a webex with on-site staff to get in to fix stuff.

I assume if we use a loopback IP address as source and the IP which we connect to via FortiManager (but use the internal IP instead) then, if the FortiGate fails over to WAN2 interface, the FortiGate will try and report back into the FortiManager, at this point the FortiGate and FortiManager will establish the connection?

Do we know if we are able to add multiple IP address to FortiManager for each FortiGate, this way it can connect to the device should one of the WAN IP goes down?

Should we considering making the FortiManager (FGM-Access) ports publical avaiable and if we do is the traffic encrypted?