- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Access to Fortigates, to mgmt IP addresses, from another VLAN
Hello team!!!
We have 2 FGT100F in HA and configured interfaces called "mgmt" as "in band"
Now we need to access from a computer in any other interface and get:
150.0.0.4 is the IP of Fortigate HA in a specific VLAN and 150.0.0.3 is another device in the same VLAN.
I know this is a public IP, but this is complicated to change the IP in all the devices in this VLAN.
From 150.0.0.3 I can ping 150.0.0.4, but not the HA IP on mgmt interface
From another device in mgmt interface, I can ping the HA IP on mgmt interface, and each Fortigate as well
Previously, we had disabled src-check in mgmt interface
I tried to add a local-in policy to allow this (config firewall local-in-policy), but still the same behavior
We need to access to Fortigate from any VLAN, using the IP on the mgmt interface. Is this possible?
Thanks in advance.
Regards,
Damián
Solved! Go to Solution.
- Labels:
-
FortiGate
Created on 09-25-2024 03:19 PM Edited on 09-25-2024 03:21 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're using 150.0.0.4 to access the FGT, yes, you don't need the policy. That gives you access only to the primary. But if you use 192.168.29.8 while you're coming from VL10_LAN-Kompus interface, you need a policy. You can test this by just pining it. You shouldn't be able to ping the mgmt IP from VL10_LAN-Kompus without the policy.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
'iprope_in_check() check failed on policy 2' indicates a local-in policy is actually blocking this traffic. Are you able to post what you had configured?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Johnathan, thanks for your response.
Yes, these are my current local-in policies:
--------------------------------------------
config firewall local-in-policy
edit 1
set uuid 81d13aa0-7a98-51ef-5343-05b37f0d0f86
set intf "VL10_LAN-Kompus" "mgmt"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set schedule "always"
next
edit 4
set uuid 1fa07e74-7064-51ef-75cb-bb5d6eb89bf2
set intf "port7" "port8" "port9" "port10" "port11"
set srcaddr "IPs_Argentina"
set srcaddr-negate enable
set dstaddr "all"
set service "ALL"
set schedule "always"
next
end
--------------------------------------------
The rule ID 1 is which I just created, trying to allow ping from VL10_LAN-Kompus to IPs in "mgmt" ports
The rule ID 4 is a rule that I had created to allow connections to Fortigate, only from IPs from my country (Argentina). port7, port8, port9, port10 and port11, are WAN ports
Regards,
Damián
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any idea?
Thanks, regards!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Damian,
According to your local in policy configuration we are not able to see policy id 2.
Can you please checked you have selected correct gateway for management interface in HA configuration, might traffic is trying to go out on different interface.
Can you please also check your firewall policy 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello tpatel, thanks for your response.
Local-in policy ID 2 does not exist.
In HA configuration, I do not have any settings for Management interface as this is like "In Band". Also, I have a route for the entire Management net, as I have an IP on this interface.
Regards,
Created on 09-25-2024 01:42 PM Edited on 09-25-2024 01:42 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where is 150.0.0.4/? configured? On the VL10_LAN-Kompus vlan interface? Or mgmt interface? Then what is the subnet mast for both the VLAN and mgmt?
If mgmt is in-band, you shouldn't be able to set IPs from the same or overlapping subnet.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
150.0.0.4/16 is the IP of Fortigates on "VL10_LAN-Kompus" interface
192.168.29.5/24 is the IP of Fortigates on "mgmt" interface
I used the following to have a different IP on each Fortigate:
config system interface edit mgmt set management-ip 192.168.29.8/24 next end
Active Fortigate has 192.168.29.8/24 as management-ip, and pasive Fortigate has 192.168.29.9/24
Thanks.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I never knew this command line "set management-ip xx/xx" existed, which is in the CLI manual as "High Availability in-band management IP address of this interface". So I never used it.
Do you see it in your routing table? (get router info routing-t all) I now believe it's there though.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it's there, I think you still need a plicy "VL10_LAN-Kompus -> mgmt". Do you have it?
Toshi