Skip to main content
SaVen
SaVen
New Member
May 9, 2017
Question

Default gateway for Management Interface

  • May 9, 2017
  • 2 replies
  • 91466 views

How do we set a default gateway for management interface that wont interfere with system routing table when VDOM's are enabled. I don't see dedicated-mgmt. option.

    2 replies

    aagrafi
    aagrafi
    New Member
    May 9, 2017

    You can place the management port into a separate VDOM of its own. Then make this VDOM the management VDOM. This way:

    a. The default gateway of the mgmt VDOM won't interfere with the system's routing table and

    b. The mgmt traffic won't interfere with the real data traffic.

    emnoc
    emnoc
    New Member
    May 9, 2017

    I would not waste a vdom for  this imho

     

    If you want OOB management and have aux or mgt interface just configured these for mgmt use

     

    e.g

     

    config sys interface

       

     edit "mgmt"

            set ip 11.1.1.1 255.255.255.0

            set allowaccess ping https ssh snmp fgfm

            set type physical

            set dedicated-to management

            set description "MANAGEMENT OOB ACCES"

            set device-identification enable

           next

    end

     

    Now under the  HA cfg

     

    config sys ha

        set ha-mgmt-status enable

        set ha-mgmt-interface "mgmt"

        set ha-mgmt-interface-gateway 11.1.1.254

    end

     

     

    That interface will not be in any vdom RIB table.

     

     

    Kenundrum
    Kenundrum
    New Member
    May 9, 2017

    The problem is that if the management interface is in the same subnet as the traffic interfaces, it would interfere with the routing and possibly send some traffic out the management interface instead of an accelerated interface. The set dedicated to management only worked if the ip was in a different subnet. So it was not possible to have the FGT processing traffic at 192.168.1.10 and have out of band management only interface at 192.168.1.12, for example.

    I opened a case about this some years ago running some version of 5.2.x and was told this was by design.

    I was told (not by fortinet) it has been tweaked in more recent firmware where there is a quasi-hidden vdom that separates the routing of dedicated management interfaces and doesn't eat a vdom license, but my configurations already include a separate management only vdom so i can't readily test it.

    SaVen
    SaVenAuthor
    New Member
    May 10, 2017

    That will just be a work around,enabling HA when there is no requirement, i think we should be looking for a solution rather.

    Is there way to submit a feature request.?

    emnoc
    emnoc
    New Member
    May 10, 2017

    You need a NFW ( new feature request ) but you do have solution as-is that's vetted, just enable A-P with

     

     

    or

     

    The other option would be to look at doing the  "dmgmt-vdom" which is also used for a dedicate  mgmt

    http://socpuppet.blogspot.com/2015/12/hidden-vdom-fortios-multi-vdom-mode.html

     

     

    config system interface     edit "port3"         set vdom "dmgmt-vdom"         set ip 1.1.1.1 255.255.255.254         set type physical           next end

     

    FYIW v5.2.11 is now generating  the following error when do exactly the above

     

     

    "Serious error happened. Please reboot"

     

    YMMV

     

     

    Terms & ConditionsAccessibility statement