Description
This article describes when the FortiWEB is configured to use an aggregate interface (LACP) you lose the ability to manage the FortiWEB using the member interfaces. The FortiWEB also cannot be managed using the new aggregate interface.
A physical interface not used in the aggregate interface should be used for management purposes.
This document shows how to add the necessary policy route to ensure proper routing of management traffic for the designated management interface.
Scope
FortiWeb
Solution
In this example configuration, port1 and port2 are used for LACP and port3 is the management interface.
Console access will be needed to make the changes.
FortiGate <---> FortiWEB service network : 10.5.1.0/24
FortiGate: 10.5.1.1
FortiWEB: 10.5.1.2
Management network: 10.150.150.0/24
Gateway: 10.150.150.1
FortiWEB: 10.150.150.100
Topology:
FortiWEB CLI configuration:
# config system interface
edit "port1"
set type physical
config secondaryip
end
next
edit "port2"
set type physical
config secondaryip
end
next
edit "port3"
set type physical
set ip 10.150.150.100/24
set allowaccess https ping ssh snmp
set description "management network"
config secondaryip
end
next
edit "agg-vlan5"
set type aggregate
set ip 10.5.1.2/24
set lacp-speed fast
set algorithm layer3_4
set intf port1 port2
config secondaryip
end
next
end
config router static
edit 1
set gateway 10.5.1.1
set device agg-vlan5
next
end
- The following policy route is the key to ensuring that FortiWeb responds to management traffic using port3.
- Such management traffic arrives at the FortiWeb on 10.150.150.100.
- Therefore, when FortiWeb replies it will use 10.150.150.100 as its source IP.
- That source IP will match the following policy route and determine both gateway and outgoing interface.
# config router policy
edit 1
set src 10.150.150.100/32
set gateway 10.150.150.1
set oif port3
next
end
