dalten
Staff
Staff
Description
When the FortiWEB is configured to use an aggregate interface (LACP) you lose the ability to manage the FortiWEB using the member interfaces.  The FortiWEB also cannot be managed using the new aggregate interface.

A physical interface not used in the aggregate interface should be used for management purposes. 

This document shows how to add the necessary policy route to ensure proper routing of management traffic for the designated management interface.

Solution
In this example configuration, port1 and port2 are used for LACP and port3 is the management interface.
You will need console access to make the changes.

FortiGate <---> FortiWEB service network : 10.5.1.0/24
FortiGate: 10.5.1.1
FortiWEB: 10.5.1.2

Management network: 10.150.150.0/24
Gateway: 10.150.150.1
FortiWEB: 10.150.150.100

Topology:


dalten_FD36420_FD36420.jpg

FortiWEB CLI configuration:

config system interface
  edit "port1"
    set type physical
    config  secondaryip
    end
  next
  edit "port2"
    set type physical
    config  secondaryip
    end
  next
  edit "port3"
    set type physical
    set ip 10.150.150.100/24
    set allowaccess https ping ssh snmp
    set description "management network"
    config  secondaryip
    end
  next
  edit "agg-vlan5"
    set type aggregate
    set ip 10.5.1.2/24
    set lacp-speed fast
    set algorithm layer3_4
    set intf port1 port2
    config  secondaryip
    end
  next
end

config router static
  edit 1
    set gateway 10.5.1.1
    set device agg-vlan5
  next
end
  • The following policy route is the key to ensuring that FortiWeb responds to management traffic using port3.
  • Such management traffic arrives at the FortiWeb on 10.150.150.100.
  • Therefore, when FortiWeb replies it will use 10.150.150.100 as its source IP.
  • That source IP will match the following policy route and determine both gateway and outgoing interface.

config router policy
  edit 1
    set src 10.150.150.100/32
    set gateway 10.150.150.1
    set oif port3
  next
end

Contributors