Much like how a TUN device is created on the FortiGate side of the connection, the FortiManager unit also creates a similar TUN device. This device is configured to have the same IP address as the physical interface through which the FortiManager communicates with the FortiGate unit.
The FortiManager will have a daemon receiving fgfm messages and upon reception of a message compares the FortiGate’s declared IP address to the actual remote IP address to determine if the FortiGate unit is behind a NAT device.
A routing table is maintained for TUN such that traffic destined for any FortiGate behind NAT will be routed through the TUN based on each FortiGate’s unique serial number and IP address. The the fgfm daemon running on the FortiManager assigns unique internal-use IP addresses to each FortiGate behind NAT so that it can distinguish between each unit and route traffic to the appropriate device via SSL.
Initially, the FortiGate’s virtual TUN device has no IP address. If the FortiManager detects that the FortiGate is behind NAT, it allocates a unique internal IP address and notifies the FortiGate of this address.
Regardless whether or not the FortiGate unit is behind NAT, the FortiManager always sends management traffic via the secure tunnel. The FortiGate unit assigns the address provided by the FortiManager to its TUN device so that traffic sent to the FortiManager appears to have come from that address.
Conversely, the FortiManager sends any traffic destined for the FortiGate to the same address, routing it over the FortiManager’s TUN device via SSL back to the FortiGate.