FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff
Article Id 228972
Description This article describes how to use dedicated-management interface for FortiGuard communication.
Scope

FortiGate, FortiGuard.

 

Scenario: 

'Mgmt' interface is the only interface with internet access.

Solution

System interface management config:

 

FortiGate-100D # show system interface mgmt
config system interface
    edit "mgmt"
        set vdom "root"
        set ip 10.5.17.143 255.255.240.0
        set allowaccess ping https ssh http fgfm
        set type physical
        set dedicated-to management
        set snmp-index 6
    next
end

 

System DNS config:

 

FortiGate-100D # show system dns
config system dns
    set primary 208.91.112.53
    set secondary 208.91.112.52
end

 

Router static:

 

FortiGate-100D # show router static
config router static
    edit 1
        set gateway 10.5.31.254
        set device "mgmt"
    next
end

 

Ping test to these 3 FQDNs to see if system DNS works well:

 

* service.fortiguard.net

* update.fortiguard.net

* guard.fortinet.net

 

FortiGate-100D # execute ping service.fortiguard.net

PING guard.fortinet.net (208.184.237.61): 56 data bytes

64 bytes from 208.184.237.61: icmp_seq=0 ttl=56 time=146.1 ms

64 bytes from 208.184.237.61: icmp_seq=1 ttl=56 time=146.0 ms

^C

--- guard.fortinet.net ping statistics ---

2 packets transmitted, 2 packets received, 0% packet loss

round-trip min/avg/max = 146.0/146.0/146.1 ms

 

FortiGate-100D # execute ping update.fortiguard.net

PING fds1.fortinet.com (173.243.138.67): 56 data bytes

64 bytes from 173.243.138.67: icmp_seq=0 ttl=54 time=156.2 ms

64 bytes from 173.243.138.67: icmp_seq=1 ttl=54 time=156.2 ms

^C

--- fds1.fortinet.com ping statistics ---

2 packets transmitted, 2 packets received, 0% packet loss

round-trip min/avg/max = 156.2/156.2/156.2 ms

 

FortiGate-100D # execute ping guard.fortinet.net

PING guard.fortinet.net (209.222.147.36): 56 data bytes

64 bytes from 209.222.147.36: icmp_seq=0 ttl=53 time=89.0 ms

64 bytes from 209.222.147.36: icmp_seq=1 ttl=53 time=89.0 ms

^C

--- guard.fortinet.net ping statistics ---

2 packets transmitted, 2 packets received, 0% packet loss

round-trip min/avg/max = 89.0/89.0/89.0 ms

 

FortiGuard status shows 'UP'.

 

iskandar_lie_0-1667581966734.pngiskandar_lie_1-1667581979189.png

 

Related articles:

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-dedicate-an-interface-to-managemen...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-SNMP-polling-via-the-dedicated-H...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface/ta-p/1901...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-dedicated-mgmt-feature-Out-of-ba...

https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/313152/out-of-band-managemen...

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/222079/using-a-trusted-host-optional