Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
svishal
Staff & Editor
Staff & Editor

Created on ‎01-12-2025 11:00 PM Edited on ‎03-24-2025 11:54 PM By Community Manager

Article Id 369545

Technical Tip: After upgrading to v7.6.1, FortiGate GUI reports LAN interfaces are managed by IPAM

Description

 

This article describes that when upgrading a FortiGate to v7.6.1, the GUI shows LAN interfaces that have an IP address in the network ranges 172.31.0.0/16 or 192.168.0.0/16 to be managed by IPAM even though the feature is globally disabled. The GUI does not allow DHCP IP Address Assignment Rules to be created.

 

Scope

 

FortiGate with default IPAM settings as below, upgraded to v7.6.1:

 

config system ipam
    set status disable
    config pools
        edit "default-pool"
            set subnet 172.31.0.0 255.255.0.0
        next
        edit "lan-pool"
            set subnet 192.168.0.0 255.255.0.0
        next
    end
    config rules
        edit "role-lan"
            set device "*"
            set interface "*"
            set role lan
            set pool "lan-pool"
            set dhcp enable
        next
    end
end

 

Although the status is disabled (by default), the GUI shows interfaces matched by the network ranges defined in the two pools above, as managed by IPAM.

 

Example:

 

ipam 1.jpeg

 

The GUI restricts configuring DHCP IP Address Assignment Rules:

 

ipam dhcp.png

 

Solution

 

V7.6.1 introduced changes to the IPAM configuration as described in the release notes:

 

However, the GUI, even with the feature globally disabled, shows the interface to be managed by IPAM and disables the option to configure DHCP reservations, assignments, and blocks i.e. any DHCP IP Address Assignment Rules. 

 

The CLI still allows configuring DHCP reservations.

 

Any of the following options can be implemented as a workaround to this issue:

 

Option 1: Disable IPAM for a specific interface:

To disable this via the GUI, navigate to System -> FortiGate, select the required interface, and select 'Manual' under the 'Address' section.


To do the same via the CLI:

 

config system interface
    edit "port2"
        set ip-managed-by-fortiipam disable
    next
end

 

Option 2: Revert the default action for managing LAN interfaces:

 

config system ipam
    set manage-lan-addresses disable
end

 

Option 3: Disable 'Intefaces with LAN role' on the GUI. Go to Network -> IPAM, select the IPAM Settings tab, and toggle off for 'Intefaces with LAN role':

 

2025-03-25 11 26 55.png

 

A permanent fix is being addressed internally and will be available in a future release on the v7.6 train. (Tentatively scheduled for v7.6.3 - can be subject to changes).

Labels:
624
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.