Skip to main content
paulinster
paulinster
Visitor III
September 26, 2018
Question

Remotely access out of band/management network over vpn

  • September 26, 2018
  • 1 reply
  • 9256 views

Hi Everyone, I would like to setup some kind of out of band network with the 501E pair of firewall I am currently configuring. I have a separate management network from the data network. The fortigate's management port is uplinked to the management network switch, and also have uplink to the data plane network switches. I was wondering if it would be possible to access the management network remotely over SSL/Ipsec vpn by adding some polcies that would allow traffic from VPN interface to management interface. I know that data traffic shouldn't transit over the management interface, but in this case I don't want to use it as a "data" interface but rather use it to to remotely access management network over SSL/VPN. Currently look like management interface doesn't show up in the policies. Should I just add another "data" lan interface that I could use to jump in the management network for SSL/VPN remote connection? Wouln't this cause confusion to the FGT as the management and lan interface be in the same subnet? 

Thanx for your help/suggestion... 

    1 reply

    paulinster
    paulinsterAuthor
    Visitor III
    September 27, 2018

    So is anyone has setup some kind of out of band remote access with FGT?  

    lobstercreed
    lobstercreed
    New Member
    November 30, 2018

    Is your management network switch capable of routing?  I agree that you would probably have an issue if you put another LAN interface in the same subnet as your MGMT interface, but you could set up a separate subnet on the data plane to go from the firewall into the management network switch, with a route statement in the data plane on the firewall pointing to the management switch IP.  That's basically how we have it set up, though we don't truly have a separate management network...just a VLAN.

     

    Here's an example of what I'm suggesting.  If your management network is 172.16.1.0/24, and lan2 is available on the firewall.

     

    Set aside a new subnet between the firewall and management switch...say 172.16.100.0/30, and configure both sides with the firewall having the .1 address. 

     

    On the firewall:

    Put in a static route for 172.16.1.0/24 pointing to 172.16.100.2 via lan2.

    Configure a FW policy for SSL.root to lan2, allowing traffic from your VPN tunnel addresses to 172.16.1.0/24

     

    On the management switch:

    Put in a static route for your VPN tunnel addresses with a destination of 172.16.100.1

     

    Your drawing would be something like this:

     

    WAN <----> FGT_DATA <--172.16.100.0/30--> MGMT_SWITCH <--172.16.1.0/24-->  FGT_MGMT

     

    Let me know if that works...of course it depends on your management network having a L3 switch.

    emnoc
    emnoc
    New Member
    December 1, 2018

    Read this  post of mine, beadvise fortiOS has changed some aspect of ssl.root in various platforms or  FortiOS. This would allow you  to trust the vpn  access and you could  even set the vpn-pool as trusthost. Keep in mind, if you screw up the  vpn configuration  you could be locked out until you correct the change.

     

    http://socpuppet.blogspot.com/2015/03/sslvpn-sslroot-management-access.html

     

    YMMV

     

    Ken Felix

     

    Terms & ConditionsAccessibility statement