Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

200E - Setting up a port to plug into a vSwitch port for isolated management

remote firewall config

  • config system settings   set allow-subnet-overlap enable[/ul]

    vSwitch config

  • interface-address:
  • member ports:  2, 3, 4, 5[/ul]

    Port 6 config

  • plugged into port 2 (vswitch)
  • type: LAN
  • interface-address:
  • services-checked:  ping, ssh, http, https[/ul]



    I can ping and from the CLI on the remote firewall.  I can ping from the local firewall CLI but cannot ping  Is the problem related to not having a default gateway pointed to


    My routing encompasses on the network so I'm not sure what's wrong.  Any assistance would be appreciated.


    Ultimately, I'm trying to set up a dedicated 'management port' without using the OOB Management-named port.  If I'm going about this the wrong way, please let me know.



  • 1 REPLY 1
    New Contributor

    In an effort to make this a little bit more clear, I'm trying to set up an isolated management interface (not the OOB Management interface) on a 'management' network.  


    With a physical layout, this does work:  

  • Port1 (Isolated Management interface), ping+ssh+http+https,, plugged into a port on the physical switch
  • Port2 (Black Network Gateway), ping,, plugged into a port on the physical switch
  • Admin Laptop,, plugged into a port on the physical switch[/ul]

    From the admin laptop, I can ping both 0.1 and 0.2 and https into 0.2.


    With a virtual layout, it does not work:

  • Port1 (Isolated Management interface), ping+ssh+http+https,, plugged into a port2 on the virtual switch
  • Port2 + Port3 (joined as a vSwitch), ping,
  • Admin Laptop,, plugged into port3 on the virtual switch[/ul]

    From the firewall CLI, I can ping  Even if I change to 'exec ping-options source', I can still ping  


    From the laptop, I can ping but I cannot ping  If I put a network tap between the laptop and port3, I can see the workstation ARP for the MAC of but it doesn't get a response.


    I thought maybe the interfaces didn't use AutoSense technology, so the cable that connects Port1 to Port2, I replaced with a crossover cable and even though the firewall still showed the port as green and I could still ping from the CLI, I could not ping from the workstation.  


    It's almost as if the vSwitch isn't maintaining a MAC Address table... can anyone provide any insight into this?







  • Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Top Kudoed Authors