I'm just now rolling out Fortimanager and Fortigates at all facilities. I had to integrate a new facility with IPSEC back to our original ASA's before we made the purchase of FMG and the additional FGT's for the existing facilities. I now have all FGT's centrally successfully added and managed on the FMG with Full mesh between facilities and the original FGT meshed in and routing through the FGT's now instead of the ASA's. We have MPLS and the only thing I am routing through the new FGT's is Internet traffic at this point, with the exception of the new (first FGT) facility which doesn't have MPLS, it is IPSEC meshed to all other FGT's.

This is the first stage, all internal IPSEC routes between facilities are disabled except the IPSEC only site. Next step is moving MPLS and adding policy routes to allow bringing up the mesh at all sites.

In hindsite I'm not so sure I've added the devices to FMG in the best manner, especially the IPSEC only site. I added the devices by private address instead of the public. When MPLS is migrated I can see that this method should be acceptable because connectivity should be maintained if MPLS goes down through the tunnels, but FMG will isolated from the IPSEC only site if there is a tunnel issue that is not cause by a circuit outage in the IPSEC only site.

I have NAT'd my FMG, added a policy to/from the FMG to ALL FGT public IP's, first with documented FMG port requirements, then when that didn't work made it ALL. I tried changing the IPSEC only IP to the public and push the config out, but end up loosing management capabilities of the IPSEC only FGT and FMG shows config conflicts.

My questions are first what would be best practice for not only the IPSEC only association in FMG, but also what would be suggested for the FGT's on the MPLS(I am assuming private is fine here).

And the biggest issue is how to successfully add the IPSEC FGT with the FMG being behind my FGT at corporate. I cannot seem to successfully change that FGT from the private to public address in FMG.