When a FortiManager is deployed behind a Network Address Translation (NAT) device, managed devices on the other side of the NAT boundary must use FortiManager's public IP address to establish a connection. The NATed IP setting, configured under System Settings > Admin > Admin Settings, is specifically designed for this purpose. During the device discovery and authorization process, FortiManager provides this configured NATed IP address (100.65.0.120 in this case) to the FortiGate. The FortiGate then updates its central management settings (config system central-management) to use this public IP for all subsequent management traffic, ensuring successful communication.

A. The FortiGate is configured with only one management IP address. Pushing the private, non-routable IP (10.0.13.120) would cause a connection failure.

B. The IP address 100.65.0.101 is not relevant to the configuration shown in the exhibit or the described scenario.

C. The IP address 100.65.0.101 is not configured on the FortiManager and has no role in this management process.

1. FortiManager Administration Guide 7.2.0

Page 100

"Admin settings".

The guide states for the NATed IP field: "If FortiManager is behind a NAT device

enter the NATed IP address that FortiGate devices will use to connect to FortiManager." This confirms that the NATed IP is the address provided to the managed devices.

2. Fortinet Cookbook

"Adding a FortiGate to FortiManager (NAT mode)"

Document ID: FD40540.

This official guide details the exact scenario: "When adding the FortiGate

FortiManager will use the NATed IP to configure the central-management settings on the FortiGate. The FortiGate will then use this IP address to connect to the FortiManager." This explicitly confirms that the NATed IP is set on the FortiGate.