Description
This article describes the purpose and functionality of the dedicated-mgmt feature also known as FortiGate Out-of-band Management.
Out-of-band in this sense means separate from the user traffic and maintaining a separate routing table.
This is done using either or both of the following methods:
- Reserving an interface in HA for individual management of FortiGates (up to 4 interfaces).
- On select models, a separate interface can be configured with 'dedicated-mgmt' interface/routing.
This article refers to the second method. Discussion of HA reserved management interface is left to other reference documents including the article Technical Tip: HA Reserved Management Interface.
The feature can also be used in standalone mode allowing a dedicated port used for management.
The feature might also be useful when using two management channels in the case when the primary in-band management port is unreachable making it possible to reach the FortiGate by the secondary out-of-band channel.
For example, if using the wan1 port as the primary port for management, and the dedicated-mgmt feature is enabled by using for example mgmt1 port for out-of-band management, there will be a redundant management port which is useful if the port wan1 becomes unavailable.
For example, if using the wan1 port as the primary port for management, and the dedicated-mgmt feature is enabled by using for example mgmt1 port for out-of-band management, there will be a redundant management port which is useful if the port wan1 becomes unavailable.
Scope
This feature is available on models with mgmt/mgmt1/mgmt2 ports, such as the following:
- FortiGate-120G/121G.
- FortiGate-200F/201F.
- FortiGate-900G/901G.
- FortiGate-1000F/1001F.
- FortiGate-200F/201F.
- FortiGate-3000F/3001F.
- FortiGate-3200F/3201F.
- FortiGate-3500F/3501F.
- FortiGate-3700F/3701F.
- FortiGate-4800F/4801F.
- FortiGate-6000F.
- FortiGate-7000E/7000F.
- FortiWIFI-1801F.
- FortiWIFI-2600F.
- FortiWIFI-3980E.
- FortiWIFI-4200F.
- FortiWIFI-4400F/4401F.
- FortiWIFI-4801F.
- FortiWIFI-3980E.
Solution
The mgmt interface must not be referenced elsewhere to be configured in dedicated-mgmt.
To check first, this command should not return anything; only then mgmt can be used:
diagnose sys cmdb refcnt show system.interface.name mgmt
Configuration CLI:
config system dedicated-mgmt
set status {enable | disable}
set interface [mgmt | mgmt1 | mgmt2 ]
set default-gateway x.x.x.x
set dhcp-server {enable | disable}
set dhcp-netmask
set dhcp-start-ip
set dhcp-end-ip
end
set status {enable | disable}
set interface [mgmt | mgmt1 | mgmt2 ]
set default-gateway x.x.x.x
set dhcp-server {enable | disable}
set dhcp-netmask
set dhcp-start-ip
set dhcp-end-ip
end
The following effects occur when 'config system dedicated-mgmt' is enabled and the interface is set to mgmt1:
config system dedicated-mgmt
set status enable
set interface "mgmt1"
set default-gateway 10.24.3.200
set dhcp-server enable
set dhcp-netmask 255.255.252.0
set dhcp-start-ip 10.24.3.201
set dhcp-end-ip 10.24.3.210
end
In the background, the FortiGate creates a hidden VDOM named 'dmgmt-vdom', and the mgmt1 interface VDOM will be switched from root to dmgmt-vdom:
config system interface
edit "mgmt1"
set vdom "dmgmt-vdom"
set ip 10.24.3.199 255.255.252.0
set allowaccess ping https ssh http telnet
set type physical
set dedicated-to management
set role lan
set snmp-index 27
next
end
To enter the dmgmt-vdom VDOM on the FortiGate:
execute enter dmgmt-vdom
current vdom=dmgmt-vdom:3
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.24.3.200, mgmt1, [1/0] <-- Default route via mgmt1 created in dmgmt-vdom.
C 10.24.0.0/22 is directly connected, mgmt1
The mgmt1 interface cannot be referenced in the configuration file anymore.
To keep mgmt1 as a dedicated-to management interface and to allow referencing it in the configuration file, a VRF can be set on mgmt1 instead:
config system dedicated-mgmt
set status disable
end
config system interface
edit "mgmt1"
set vdom "root"
set vrf 1
set ip 10.24.3.199 255.255.252.0
set allowaccess ping https ssh http telnet
set type physical
set dedicated-to management
set role lan
set snmp-index 27
next
end
The default route via mgmt1 can be created:
config router static
edit 0
set gateway 10.24.3.200
set device "mgmt1"
next
get router info routing-table database
Routing table for VRF=1
S *> 0.0.0.0/0 [10/0] via 10.24.3.200, mgmt1, [1/0]
C *> 10.24.0.0/22 is directly connected, mgmt1
The 'dedicated-to management' feature:
Setting an interface as 'dedicated-to management' can be done in the GUI as well as the CLI. However, this is a different function from dedicated-mgmt configuration.
config system interface
edit mgmt
set dedicated-to management
next
end
When the mgmt interface is set up with 'dedicated-to management', it will not show up in the interface selection in firewall policies. For example, if firewall management access is taken on the 'dedicated-to management interface' from the user's PC, then that user's PC cannot access the internet via the dedicated-to management interface from which firewall access is taken.
However, the dedicated-to management interface may have static routes assigned, and the firewall itself may have internet access over this interface.
Note:
When configuring a VM FortiGate, use HA reserved management interface when configuring VM due to a limited number of available interfaces.
When an interface is set to 'dedicated-to management', the settings with this interface will be synced between the Primary and the Secondary units. This is different than the HA dedicated management interface, which is NOT synced between the Primary and the Secondary units.
Related article:
Technical Tip: FortiGate SNMP polling via the dedicated HA management port - HA status MIB OID
