Hello,
i have a Firewall with sdwan ( 2 vpn links included ).
i try to access the management interface coming from the Vpn link inside the sdwan , but i noticed that my trrafic comes from the vpm goes to LAN port to a switch layer 3 and then mgmt
vpn-->port lan--> switch L3--> mgmt port.
i have a route to the management vlan that goes to lan port ( this is an existing configuration )
access to mgmt interface is not working any ideas ?
why the kernel route to management does not take precedence ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hy Mayoub
This is expected behavior if your management interface is "dedicated-to management".
You can check as follows:
config system interface edit mgmt show
If you see the line "set dedicated-to management" then the management is out of band, and it is like if the VRF of this interface is not in the same as other firewall interfaces, and you can't route create policies with this interface.
Having this config is ok, you can leave it as is, but if it doesn't comply with your design requirement then you just need to disable "dedicated-to management" for this interface.
Hello AEK,
yes i confirm that this interface is dedicated to management .
so what makes the acessing that interface impossible might be other thing oether than the Fortigate ?
Hi Mayoub
Check if there is a firewall policy that allows you access mgmt IP through VPN.
It should be defined like this:
Once you check this, try access mgmt from VPN then see what's happening in traffic logs.
You can also see how traffic is flowing:
diag sniffer packet any 'host <mgmt-IP> and host <vpn-vlient-IP> and port 443' 4
Hello,
yes i do have a policy that authorises the traffic .
by doing the sniff is how i noticed that the trrafic is going to lan before mgmt port, do i have the following :
vpn in
lan out
mgmt in
mgmt out
lan in
vpn out
i also have when debugging some "no session matched" errors for the reply direction packets.
Hi @Mayoub,
Do you have policy route or SDWAN rule configured to route traffic via LAN instead of mgmt?
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.