FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dbabic
Staff
Staff
Article Id 193699

Description

 
This article explains the purpose and functionality of the dedicated-mgmt feature also known as FortiGate Out-of-band Management.
 
Out-of-band: separate from the user traffic: separate routing table, separate routing altogether. 
 
This is done in two ways:
  • Dedicating an interface in HA for individual management of FortiGates (up to 4 interfaces).
  • On select models, a separate interface comes factory set-up with a 'dedicated-to management' configuration.

Note: both can be used at the same time.
This article refers to the 'dedicated-to management' part.
 
GUI:
 
HA-Management-Interface.PNG
 
CLI:
 
config system ha
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface port10
set gateway 10.10.10.10
next
end
end

By default, the SNMP trap and Syslog/remote log should go out of a FortiGate from the dedicated management port. The dedicated management port is useful for IT management regulation.
 
Two units of the HA cluster should be able to send out logs, SNMP traps, and radius/LDAP packets initially on the management port individually. This management traffic should support communication in the dedicated network.
 
The feature can also be used in standalone mode allowing a dedicated port used for management.
 
The feature might also be useful when using two management channels in the case when the primary in-band management port is unreachable making it possible to reach the FortiGate and receive logs by the secondary out-of-band channel.

For example, if using the wan1 port as the primary port for management, and the dedicated-mgmt feature is enabled by using for example mgmt1 port for out-of-band management, there will be a redundant management port which is useful if the port wan1 becomes unavailable.
 
Such implementation needs to be used with consideration because it means that the logs such as SNMP traps will be sent out simultaneously from both port wan1 and port mgmt1.


Scope

 

All FortiGate models with mgmt interface running supported FortiOS versions (FortiGate 100D, 200D, 900D, 1000D and 3040C running FortiOS 5.0, 5.2 or 5.4).

Solution

 

Dedicating an interface to management can be done in GUI as well as CLI:

 
AlexCFTNT_0-1668505716939.png

 

config system interface

    edit mgmt
        set dedicated-to management
end

 

When the mgmt interface is already set up with 'dedicated-to management', it will not show up in the interface selection in firewall policies. This interface cannot be used to configure routing entries such as the default static route (it is 'out-of-band' now), which means that normal internet access traffic from this interface is not possible.

For example: if firewall management access is taken on the dedicated-to-management interface from the user's PC, th
en that user's PC cannot access the internet via the dedicated-to-management interface from which firewall access is taken.
 
Further changes in the implementation of the dedicated-mgmt feature (adding DHCP server) are possible through CLI.
The mgmt interface must not be referenced elsewhere in order to be used here.
 
To check first, this command should not return anything, only then mgmt can be used:
 
diagnose sys cmdb refcnt show system.interface.name mgmt
 
Configuration CLI:
 
config system dedicated-mgmt
    edit {name}
        set status {enable | disable}
        set interface [mgmt | mgmt1 | mgmt2 ]
        set default-gateway x.x.x.x
        set dhcp-server {enable | disable}
        set dhcp-netmask
        set dhcp-start-ip
        set dhcp-end-ip
end
 

Note that when "config system dedicated-mgmt" is enabled and the interface is set to mgmt1:

 

config system dedicated-mgmt

    set status enable

    set interface "mgmt1"

    set default-gateway 10.24.3.200

    set dhcp-server enable

    set dhcp-netmask 255.255.252.0

    set dhcp-start-ip 10.24.3.201

    set dhcp-end-ip 10.24.3.210

end

 

 

In the background, the FortiGate creates a hidden VDOM named ”dmgmt-vdom" and the mgmt1 interface VDOM will be switched from root to dmgmt-vdom:

 

 

 

config system interface

    edit "mgmt1"

        set vdom "dmgmt-vdom"

        set ip 10.24.3.199 255.255.252.0

        set allowaccess ping https ssh http telnet

        set type physical

        set dedicated-to management

        set role lan

        set snmp-index 27

    next

end

 

To enter the dmgmt-vdom VDOM on the FortiGate: 

 

  # execute enter dmgmt-vdom

current vdom=dmgmt-vdom:3

 

 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

       O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       V - BGP VPNv4

       * - candidate default

 

Routing table for VRF=0

S*      0.0.0.0/0 [10/0] via 10.24.3.200, mgmt1, [1/0] <=====Default route via mgmt1 created in dmgmt-vdom

C       10.24.0.0/22 is directly connected, mgmt1

 

 

Mgmt1 cannot be referenced in the configuration file anymore.

 

 

To keep mgmt1 as a dedicated-to management interface and to allow referencing it in the configuration file, a VRF can be set on mgmt1 instead:

 

config system dedicated-mgmt

    set status disable

end

 

config system interface

    edit "mgmt1"

        set vdom "root"

        set vrf 1

        set ip 10.24.3.199 255.255.252.0

        set allowaccess ping https ssh http telnet

        set type physical

        set dedicated-to management

        set role lan

        set snmp-index 27

    next

end

 

Default route via mgmt1 can be created:

 

config router static

       edit 0

        set gateway 10.24.3.200

        set device "mgmt1"

    next

 

 

 # get router info routing-table database

 

Routing table for VRF=1

S    *> 0.0.0.0/0 [10/0] via 10.24.3.200, mgmt1, [1/0]

C    *> 10.24.0.0/22 is directly connected, mgmt1

 

 

Related article:

Technical Tip: FortiGate SNMP polling via the dedicated HA management port - HA status MIB OID