Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Conflicts with 'mgmt1' subnet (400D OS 5.4 GM)

It seems that for whatever "logical" reason management interface can NOT be on same subnet like LAN


This is supposed to work (was told by distributor tech support), but does not seems to be the case:



config system settings

  set allow-subnet-overlap [enable/disable]




Contributor III



I do not know if your case is about following circumstance! Following:


On a FGT it is out of the box not possible to configure whatever interface with a subnet which overlapps with another one. The reason behind is more or less antispoofing. Whatever there are situations which you can allow or enable the mentioned command "overlapping-subnet". If you do so you must be aware that you open a potential loop possibility in your env/network.


There is a exception to configure a interface specific to a mgmt. function which overlapps to another one which means:


If you create a cluster like active-passive the cluster itself is shown as ONE device which means actually the slave is not anymore accessable over a interface. This means if you access the FGT you will always access the master. If you like to access the slave you have to access the FGT over CLI (which will be the master) and over the heartbeat interface you can access the slave's CLI. For troubleshooting this is horrible :) You are also in such a constellation not able to monitor eache device meaning master and/or slave because as mentioned the cluser will be shown as one device. What you can do is define for the cluster node a mgmt. interface (is done in the ha config over gui). This interface defined as mgmt. interface will be taken out of the scope of cluster and is fully independent nothing to do anymore with the cluster function. This interface defined as a mgmt. interface within a cluster can overlapp with the subnet of another one. This means lets imagin you would have a secure control subnet of a /24 and the FGT has one interface clustered wihin this secure control /24 subnet. This FGT interface clustered within this secure control /24 subnet will be mainly used for lets say FAZ, FMG, Monitor Server. To be able to mgmt. or monitor each device you define also for each node a mgmt. interface within this /24 secure control subnet. Activate https, ssh, snmp, fmgfm . Each mgmt. interface of the node has a IP out of the /24 secure control net. As stated normaly because of overlapping-subnet disable this is not allowed but for this case it is allowed. Now you can manage, troubleshoot, monitor each device fully independently. Be aware if you do a configuration on the slave it will be overwritten after approx 15 minutes with the config of the master :) This means config MUST be done on the master and not on the slave.


Probably you mixed up this behaviour with the information which you received.


Hope this helps


have fun



New Contributor III

I have ONE FTG that would like to have same subnet on mgmt interface and LAN interface


Nothing more, nothing less


The restriction does not make any sense to me


Hi this case you have to enable overlapping-subnet otherwise it is not possible.


have fun



Top Kudoed Authors