Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
damianhlozano
Contributor

Created on ‎09-24-2024 08:58 AM

Access to Fortigates, to mgmt IP addresses, from another VLAN

Hello team!!!

 

We have 2 FGT100F in HA and configured interfaces called "mgmt" as "in band"

Now we need to access from a computer in any other interface and get:

Debug.png

150.0.0.4 is the IP of Fortigate HA in a specific VLAN and 150.0.0.3 is another device in the same VLAN.

I know this is a public IP, but this is complicated to change the IP in all the devices in this VLAN.

From 150.0.0.3 I can ping 150.0.0.4, but not the HA IP on mgmt interface

From another device in mgmt interface, I can ping the HA IP on mgmt interface, and each Fortigate as well

Previously, we had disabled src-check in mgmt interface

I tried to add a local-in policy to allow this (config firewall local-in-policy), but still the same behavior

We need to access to Fortigate from any VLAN, using the IP on the mgmt interface.  Is this possible?

 

Thanks in advance.

Regards,

Damián

Damián Lozano
Damián Lozano
Labels:
79
0 Kudos
2 REPLIES 2
johnathan
Staff
Staff

Created on ‎09-24-2024 09:39 AM

'iprope_in_check() check failed on policy 2' indicates a local-in policy is actually blocking this traffic. Are you able to post what you had configured?

"Never trust a computer you can't throw out a window."
64
0 Kudos
damianhlozano
Contributor
In response to johnathan

Created on ‎09-24-2024 10:31 AM

Hello Johnathan, thanks for your response.

 

Yes, these are my current local-in policies:

--------------------------------------------

config firewall local-in-policy
   edit 1
      set uuid 81d13aa0-7a98-51ef-5343-05b37f0d0f86
      set intf "VL10_LAN-Kompus" "mgmt"
      set srcaddr "all"
      set dstaddr "all"
      set action accept
      set service "ALL"
      set schedule "always"
   next
   edit 4
      set uuid 1fa07e74-7064-51ef-75cb-bb5d6eb89bf2
      set intf "port7" "port8" "port9" "port10" "port11"
      set srcaddr "IPs_Argentina"
      set srcaddr-negate enable
      set dstaddr "all"
      set service "ALL"
      set schedule "always"
   next
end

--------------------------------------------

 

The rule ID 1 is which I just created, trying to allow ping from VL10_LAN-Kompus to IPs in "mgmt" ports

The rule ID 4 is a rule that I had created to allow connections to Fortigate, only from IPs from my country (Argentina).  port7, port8, port9, port10 and port11, are WAN ports

 

Regards,

Damián

Damián Lozano
Damián Lozano
47
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.