Description
This article explains how to use out-of-band management on standalone unit without using VDOMs.
Unit should use dedicated management interface for management and should connect to the Internet through this management interface for all management traffic.
The unit is a standalone unit (not in HA) and the usage of multiple VDOMs (split-task VDOM) is not intended.
Solution
The solution is to use different VRFs (Virtual Routing and Forwarding) for management and for the traffic.
Each FortiGate unit can use several VRFs. By default, all interfaces and routes are in VRF 0.
This also applies to the management traffic.
When it is required to route the management traffic through the different gateway, then normal traffic with different VRFs can be used.
This must be configured in CLI.
Management interface should stay in VRF 0 and all other interfaces that are used for traffic should be configured to the other VRF (for example 1).
This article explains how to use out-of-band management on standalone unit without using VDOMs.
Unit should use dedicated management interface for management and should connect to the Internet through this management interface for all management traffic.
The unit is a standalone unit (not in HA) and the usage of multiple VDOMs (split-task VDOM) is not intended.
Solution
The solution is to use different VRFs (Virtual Routing and Forwarding) for management and for the traffic.
Each FortiGate unit can use several VRFs. By default, all interfaces and routes are in VRF 0.
This also applies to the management traffic.
When it is required to route the management traffic through the different gateway, then normal traffic with different VRFs can be used.
This must be configured in CLI.
Management interface should stay in VRF 0 and all other interfaces that are used for traffic should be configured to the other VRF (for example 1).
#config system interface
edit wan1
set vrf 1
next
edit port1
set vrf 1
next
end
Then two default routes can be configured:
#config router staticThe output of the routing table:
edit 1
set gateway 10.10.10.254
set device "mgmt"
next
edit 2
set gateway 92.0.2.1
set device "wan1"
next
endFGT # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 10.10.10.254, mgmt
C 10.10.10.0/24 is directly connected, mgmt
Routing table for VRF=1
S* 0.0.0.0/0 [10/0] via 92.0.2.1, wan1
C 92.0.2.0/24 is directly connected, wan1
C 192.168.1.0/24 is directly connected, port1
Related Articles
Technical Note: OSPF Support for multiple virtual routing and forwarding VRFs
