Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ataro
New Contributor II

200F Dedicated Management Command Not Available

I have 200F single firewall, firmware is 7.2.2 Build 1255.

I am trying to set MGMT as OOB from CLI but the command "config system dedicated-mgmt " is not available. I was able to do the same on 401E firewall but on 200F firewall it's not available, please assist.

 

FW # config system
3g-modem Configure 3G modem.
accprofile Configure access profiles for system administrators.
acme Configure ACME client.
admin Configure admin users.
alias Configure alias command.
api-user Configure API users.
arp-table Configure ARP table.
auto-install Configure USB auto installation.
auto-script Configure auto script.
automation-action Action for automation stitches.
automation-destination Automation destinations.
automation-stitch Automation stitches.
automation-trigger Trigger for automation stitches.
autoupdate Configure automatic updates.
central-management Configure central management.
console Configure console.
csf Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.
custom-language Configure custom languages.
ddns Configure DDNS.
dhcp Configure DHCP.
dhcp6 Configure DHCPv6.
dns Configure DNS.

7 REPLIES 7
distillednetwork
Contributor III

Are you trying to set this up with a standalone 200F or in HA setup?

 

ataro

Standalone, single firewall.

distillednetwork
Contributor III

The 400E has an NP6 chipset in it while the 201F has an NP6X-Lite.  There are some different capabilities in the different chipsets.  According to the documents regarding the dedicated-mgmt setting "Using this command is not recommended and it is not available on all FortiGate models." 

https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/303733/system-dedicated-mgmt

 

If you are looking to have all fortigate services use the mgmt ports instead of the traffic ports, then I would look at split-task vdom.  This is the best way to seperate management and traffic interfaces/traffic.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/758820/split-task-vdom-mode

 

Another option is to keep the set dedicated-to management option on the mgmt port and put it in a different vrf.  Then you can add route(s) for the mgmt port.

ataro

How to keep mgmt port it in a different vrf and add static routes for the mgmt port?  

distillednetwork

config system interface

edit mgmt

set vrf ##.   << Pick a VRF number other than 0

end

 

Then any routes you create associated with mgmt port will be in that vrf.  You will see them when you do:

 

get router info routing-table all

ataro

Thank You, I have configured but I am unable to define another physical interface with the same subnet like MGMT interface.

Interface Port1 & Port2 in VRF1. MGMT in VRF 0.

I want MMGT to use Port2 as gateway. But it gives the error as "Conflict with 'mgmt' subnet"

How can I resolve this?

 

distillednetwork

You can enable subnet-overlap I would just be very careful to test to make sure you don't have any unintended results.  

 

# config system settings
     set allow-subnet-overlap [enable/disable]
 end

I would still recommend looking at the split-task vdom for your setup.

Top Kudoed Authors