Technical Tip: Cannot configure local-in-policy with mgmt interface

caunon · ‎12-31-2024

Description

This article describes the situation when it is not possible to configure local-in-policy with the mgmt interface.

Scope

FortiGate v7.2.8 and v7.2.10.

Solution

When setting the CLI command with:

config firewall local-in-policy
edit 1
set intf ?

mgmt interface does not show up in local-in-policy under interface 'set intf' in interface lists.

To fix it:

Go to check mgmt interface under the dedicated-mgmt setting under CLI commands as below.

config system dedicated-mgmt

show

config system dedicated-mgmt

set status enable

set interface “mgmt”

set default-gateway x.x.x.x <----- Gateway IP address.

end

It is necessary to disable dedicated-mgmt or remove that mgmt interface from the dedicated-mgmt setting.

To disable dedicated-mgmt:

config system dedicated-mgmt

set status disable

end

To remove the mgmt interface from the dedicated-mgmt setting.

config system dedicated-mgmt

set interface yyy <----- Change mgmt interface to be yyy interface.

end

Then mgmt interface will show up in the local-in-policy setting and can configure the local-in-policy with that mgmt interface after that.

config firewall local-in-policy
edit 1
set intf mgmt

Note:

Interface references can be verified through the GUI or using the following commands:

diagnose sys cmdb refcnt show <path.object.mkey>

Related article:

You are leaving our website