Skip to main content
dbabic
Staff
dbabic
Staff
November 4, 2016

Technical Tip: FortiGate dedicated-mgmt feature, or Out-of-band Management

  • November 4, 2016
  • 0 replies
  • 94385 views

Description

 
This article describes the purpose and functionality of the dedicated-mgmt feature, also known as FortiGate Out-of-band Management.
 
Out-of-band, in this sense, means separate from the user traffic and maintaining a separate routing table.
 
This is done using either or both of the following methods:
  • Reserving an interface in HA for individual management of FortiGates (up to 4 interfaces).
  • On select models, a separate interface can be configured with 'dedicated-mgmt' interface/routing.

This article refers to the second method. Discussion of the HA reserved management interface is left to other reference documents, including the article: Technical Tip: HA Reserved Management Interface.
 
The feature can also be used in standalone mode, allowing a dedicated port to be used for management.
 
The feature might also be useful when using two management channels in the case when the primary in-band management port is unreachable, making it possible to reach the FortiGate by the secondary out-of-band channel.

For example, if using the wan1 port as the primary port for management, and the dedicated-mgmt feature is enabled by using for example mgmt1 port for out-of-band management, there will be a redundant management port, which is useful if the port wan1 becomes unavailable.


Scope

 

This feature is available on models with mgmt/mgmt1/mgmt2 ports, such as the following:

 

  • FortiGate-100F/101F.
  • FortiGate-120G/121G.
  • FortiGate-200F/201F.
  • FortiGate-400F/401F.
  • FortiGate-600F/601F.
  • FortiGate-900G/901G.
  • FortiGate-1000F/1001F.
  • FortiGate-3000F/3001F.
  • FortiGate-3200F/3201F.
  • FortiGate-3500F/3501F.
  • FortiGate-3700F/3701F.
  • FortiGate-4800F/4801F.
  • FortiGate-6000F.
  • FortiGate-7000E/7000F.
  • FortiWIFI-1801F.
  • FortiWIFI-2600F.
  • FortiWIFI-3980E.
  • FortiWIFI-4200F.
  • FortiWIFI-4400F/4401F.
  • FortiWIFI-4801F.
  • FortiWIFI-3980E.

 

Solution

 
The mgmt interface must not be referenced elsewhere to be configured in dedicated-mgmt.
 
To check first, this command should not return anything; only then can mgmt be used:
 
diagnose sys cmdb refcnt show system.interface.name mgmt
 
Configuration CLI:
 
config system dedicated-mgmt
    set status {enable | disable}
    set interface [mgmt | mgmt1 | mgmt2 ]
    set default-gateway x.x.x.x
    set dhcp-server {enable | disable}
    set dhcp-netmask
    set dhcp-start-ip
    set dhcp-end-ip
end
 
The following effects occur when 'config system dedicated-mgmt' is enabled and the interface is set to mgmt1:
 
config system dedicated-mgmt
    set status enable
    set interface "mgmt1"
    set default-gateway 10.24.3.200
    set dhcp-server enable
    set dhcp-netmask 255.255.252.0
    set dhcp-start-ip 10.24.3.201
    set dhcp-end-ip 10.24.3.210
end
 
In the background, the FortiGate creates a hidden VDOM named 'dmgmt-vdom', and the mgmt1 interface VDOM will be switched from root to dmgmt-vdom:
 
config system interface
    edit "mgmt1"
        set vdom "dmgmt-vdom"

     set ip 10.24.3.199 255.255.252.0

     set allowaccess ping https ssh http telnet

     set type physical

     set dedicated-to management

     set role lan

     set snmp-index 27

next

end

 

To enter the dmgmt-vdom VDOM on the FortiGate: 
 

execute enter dmgmt-vdom

current vdom=dmgmt-vdom:3

 

get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

       O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       V - BGP VPNv4

       * - candidate default

 

Routing table for VRF=0

S*      0.0.0.0/0 [10/0] via 10.24.3.200, mgmt1, [1/0] <-- Default route via mgmt1 created in dmgmt-vdom.

C       10.24.0.0/22 is directly connected, mgmt1

 
The mgmt1 interface cannot be referenced in the configuration file anymore.

Note:
There is a known issue with the dedicated-mgmt feature in HA deployments. When a device newly joins an HA cluster where the primary unit already has the dedicated management interface enabled, the joining unit may lose the MGMT interface itself. As a result, the interface will no longer be visible in the system configuration, and CLI commands or diagnostic commands related to the MGMT interface cannot be executed.

For example:

 

show system interface mgmt

entry is not found in global table

diagnose hardware deviceinfo nic mgmt
Command fail. Return code -1

This issue has been resolved, and the fix is available in FortiOS versions 7.4.9, 7.6.4, 8.0.0, and above.

 
To keep mgmt1 as a dedicated-to management interface and to allow referencing it in the configuration file, a VRF can be set on mgmt1 instead:
 

config system dedicated-mgmt

    set status disable

end

 

config system interface

    edit "mgmt1"

        set vdom "root"

        set vrf 1

        set ip 10.24.3.199 255.255.252.0

        set allowaccess ping https ssh http telnet

        set type physical

        set dedicated-to management

        set role lan

        set snmp-index 27

    next

end

 
The default route via mgmt1 can be created:

 

config router static

    edit 0

        set gateway 10.24.3.200

        set device "mgmt1"

    next

 

get router info routing-table database

 

Routing table for VRF=1

S    *> 0.0.0.0/0 [10/0] via 10.24.3.200, mgmt1, [1/0]

C    *> 10.24.0.0/22 is directly connected, mgmt1



The 'dedicated-to management' feature:
Setting an interface as 'dedicated-to management' can be done in the GUI as well as the CLI. However, this is a different function from dedicated-mgmt configuration.

 
1.PNG

 

config system interface

    edit mgmt
        set dedicated-to management

    next
end

 

When the mgmt interface is set up with 'dedicated-to management', it will not show up in the interface selection in firewall policies. For example, if firewall management access is taken on the 'dedicated-to management interface' from the user's PC, then that user's PC cannot access the internet via the dedicated-to management interface from which firewall access is taken.
 
However, the dedicated-to management interface may have static routes assigned, and the firewall itself may have internet access over this interface.
 

Note:

When configuring a VM FortiGate, use this article, Technical Tip: HA Reserved Management Interface when configuring the VM due to a limited number of available interfaces.

 

When an interface is set to 'dedicated-to management', the settings with this interface will be synced between the Primary and the Secondary units. This is different than the HA dedicated management interface, which is NOT synced between the Primary and the Secondary units.

 

Related article:

Technical Tip: FortiGate SNMP polling via the dedicated HA management port - HA status MIB OID

    Terms & ConditionsAccessibility statement