Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jjahanshahi
Staff
Staff

Created on ‎06-16-2016 05:00 AM

Article Id 196948

Technical Note: Connecting FortiManager to FortiGate over a VPN 3G ISP line

Description
This article explains how to connect FortiManager to FortiGate over a VPN 3G ISP line.

Solution
For this setup the following is required:
config system central-management
set fmg "IP address of the FortiManager"
set fmg-source-ip <IP of the VPN interface or Internal interface of the FortiGate>
end

On the policies which are meant for VPN the following must be set:
config firewall policy
edit <VPN policy ID>
set tcp-mss-sender 1300
set tcp-mss-receiver 1300
end

If the FortiGate is behind another NAT device then these changes must be done on that unit as well.

The following packet capture can be used to ensure MSS is matching on all ends:

On both FortiGates:
# diagnose debug application fgfmd -1
# diagnose debug enable
# diagnose sniffer packet <VPN interface name> "port 541" 3
This output can be converted to Wireshark.

On the FortiManager:
# diagnose debug application fgfmsd -1
# diagnose debug enable
# diagnose sniffer packet any "host <10.241.77.2> and port 541" 3
<Example IP>

This output can be converted to Wireshark.

1058
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.