Description
This article explains the purpose and functionality of the dedicated-mgmt feature also known as FortiGate Out-of-band Management.
Out-of-band: separate from the user traffic: separate routing table, separate routing altogether.
This is done in two ways:
- Dedicating an interface in HA for individual management of FortiGates (up to 4 interfaces).
- On select models, a separate interface comes factory set-up with a 'dedicated-to management' configuration.
Note: both can be used at the same time.
This article refers to the 'dedicated-to management' part.
GUI:
CLI:
config system ha
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface port10
set gateway 10.10.10.10
next
end
end
By default, the SNMP trap and Syslog/remote log should go out of a FortiGate from the dedicated management port. The dedicated management port is useful for IT management regulation.
Two units of the HA cluster should be able to send out logs, SNMP traps, and radius/LDAP packets initially on the management port individually. This management traffic should support communication in the dedicated network.
The feature can also be used in standalone mode allowing a dedicated port used for management.
The feature might also be useful when using two management channels in the case when the primary in-band management port is unreachable making it possible to reach the FortiGate and receive logs by the secondary out-of-band channel.
For example, if using the wan1 port as the primary port for management, and the dedicated-mgmt feature is enabled by using for example mgmt1 port for out-of-band management, there will be a redundant management port which is useful if the port wan1 becomes unavailable.
Such implementation needs to be used with consideration because it means that the logs such as SNMP traps will be sent out simultaneously from both port wan1 and port mgmt1.
Scope
All FortiGate models with mgmt interface running supported FortiOS versions (FortiGate 100D, 200D, 900D, 1000D, and 3040C running FortiOS 5.0, 5.2, or 5.4).
Solution
Dedicating an interface to management can be done in GUI as well as CLI:
config system interface
edit mgmt
set dedicated-to management
end
When the mgmt interface is already set up with 'dedicated-to management', it will not show up in the interface selection in firewall policies. This interface cannot be used to configure routing entries such as the default static route (it is 'out-of-band' now), which means that normal internet access traffic from this interface is not possible.
For example: if firewall management access is taken on the dedicated-to-management interface from the user's PC, then that user's PC cannot access the internet via the dedicated-to-management interface from which firewall access is taken.
Further changes in the implementation of the dedicated-mgmt feature (adding DHCP server) are possible through CLI.
The mgmt interface must not be referenced elsewhere to be used here.
To check first, this command should not return anything, only then mgmt can be used:
diagnose sys cmdb refcnt show system.interface.name mgmt
Configuration CLI:
config system dedicated-mgmt
edit {name}
set status {enable | disable}
set interface [mgmt | mgmt1 | mgmt2 ]
set default-gateway x.x.x.x
set dhcp-server {enable | disable}
set dhcp-netmask
set dhcp-start-ip
set dhcp-end-ip
end
Note that when "config system dedicated-mgmt" is enabled and the interface is set to mgmt1:
config system dedicated-mgmt
set status enable
set interface "mgmt1"
set default-gateway 10.24.3.200
set dhcp-server enable
set dhcp-netmask 255.255.252.0
set dhcp-start-ip 10.24.3.201
set dhcp-end-ip 10.24.3.210
end
In the background, the FortiGate creates a hidden VDOM named 'dmgmt-vdom' and the mgmt1 interface VDOM will be switched from root to dmgmt-vdom:
config system interface
edit "mgmt1"
set vdom "dmgmt-vdom"
set ip 10.24.3.199 255.255.252.0
set allowaccess ping https ssh http telnet
set type physical
set dedicated-to management
set role lan
set snmp-index 27
next
end
To enter the dmgmt-vdom VDOM on the FortiGate:
execute enter dmgmt-vdom
current vdom=dmgmt-vdom:3
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.24.3.200, mgmt1, [1/0] <-- Default route via mgmt1 created in dmgmt-vdom.
C 10.24.0.0/22 is directly connected, mgmt1
Mgmt1 cannot be referenced in the configuration file anymore.
To keep mgmt1 as a dedicated-to management interface and to allow referencing it in the configuration file, a VRF can be set on mgmt1 instead:
config system dedicated-mgmt
set status disable
end
config system interface
edit "mgmt1"
set vdom "root"
set vrf 1
set ip 10.24.3.199 255.255.252.0
set allowaccess ping https ssh http telnet
set type physical
set dedicated-to management
set role lan
set snmp-index 27
next
end
Default route via mgmt1 can be created:
config router static
edit 0
set gateway 10.24.3.200
set device "mgmt1"
next
get router info routing-table database
Routing table for VRF=1
S *> 0.0.0.0/0 [10/0] via 10.24.3.200, mgmt1, [1/0]
C *> 10.24.0.0/22 is directly connected, mgmt1
Note:
When configuring a VM FortiGate, use HA reserved management interface when configuring VM due to a limited number of available interfaces.
Related article:
Technical Tip: FortiGate SNMP polling via the dedicated HA management port - HA status MIB OID