Description
This article explains the purpose and functionality of the dedicated-mgmt feature also known as FortiGate Out-of-band Management.
Out-of-band: separate from the user traffic: separate routing table, separate routing altogether.
This is done in two ways:
- dedicating an interface in HA for individual management of FortiGates (up to 4 interfaces).
- on select models, a separate interface comes factory set-up with a 'dedicated-to management' configuration.
Note: both can be used at the same time!
This article refers to the 'dedicated-to management' part.
By default, SNMP trap and syslog/remote log should go out of a FortiGate from the dedicated management port. The dedicated management port is useful for IT management regulation.
Two units of HA cluster should be able to send out logs, SNMP traps, and radius/LDAP packets initially on the management port individually. This management traffic should support communication in the dedicated network.
The feature can also be used in standalone mode allowing a dedicated port used for management.
The feature might also be useful when using two management channels in the case when the primary in-band management port is unreachable making it possible to reach the FortiGate and receive logs by the secondary out-of-band channel.
For example, if using the wan1 port as the primary port for management, and the dedicated-mgmt feature is enabled by using for example mgmt1 port for out-of-band management, there will be a redundant management port which is useful if the port wan1 becomes unavailable.
The feature might also be useful when using two management channels in the case when the primary in-band management port is unreachable making it possible to reach the FortiGate and receive logs by the secondary out-of-band channel.
For example, if using the wan1 port as the primary port for management, and the dedicated-mgmt feature is enabled by using for example mgmt1 port for out-of-band management, there will be a redundant management port which is useful if the port wan1 becomes unavailable.
Such implementation needs to be used with consideration because it means that the logs such as SNMP traps will be sent out simultaneously from both port wan1 and port mgmt1.
Scope
All FortiGate models with mgmt interface running supported FortiOS versions
(FortiGate 100D, 200D, 900D, 1000D and 3040C running FortiOS 5.0, 5.2 or 5.4).
Solution
Dedicating an interface to management can be done in GUI as well as CLI:
config system interface
set dedicated-to management
end
When the mgmt interface is already set up with 'dedicated-to management', it will not be shown up in the interface selection in firewall policies (it is 'out-of-band' now) which means that normal internet access traffic from this interface is not possible.
For example: If firewall management access is taken on the dedicated-to-management interface from the user's PC, then that user's PC cannot access the internet via the dedicated-to-management interface from which firewall access is taken.
For example: If firewall management access is taken on the dedicated-to-management interface from the user's PC, then that user's PC cannot access the internet via the dedicated-to-management interface from which firewall access is taken.
Further changes in the implementation of the dedicated-mgmt feature (adding DHCP server) are possible through CLI.
The mgmt interface must not be referenced elsewhere in order to be used here.
To check first, this command should not return anything, only then mgmt can be used:
diagnose sys cmdb refcnt show system.interface.name mgmt
Configuration CLI:
config system dedicated-mgmt
edit {name}
set status {enable | disable}
set interface [mgmt | mgmt1 | mgmt2 ]
set default-gateway x.x.x.x
set dhcp-server {enable | disable}
set dhcp-netmask
set dhcp-start-ip
set dhcp-end-ip
end
edit {name}
set status {enable | disable}
set interface [mgmt | mgmt1 | mgmt2 ]
set default-gateway x.x.x.x
set dhcp-server {enable | disable}
set dhcp-netmask
set dhcp-start-ip
set dhcp-end-ip
end
Related article:
Technical Tip: FortiGate SNMP polling via the dedicated HA management port - HA status MIB OID
