Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Dedicated management access



i have a Firewall with sdwan ( 2 vpn links included ).

i try to access the management interface coming from the Vpn link inside the sdwan , but i noticed that my trrafic comes from the vpm goes to LAN port to a switch layer 3 and then mgmt

vpn-->port lan--> switch L3--> mgmt port.

i have a route to the management vlan that goes to lan port ( this is an existing configuration )

access to mgmt interface is not working any ideas ?

why the kernel route to management does not take precedence  ?





Hy Mayoub

This is expected behavior if your management interface is "dedicated-to management".

You can check as follows:

config system interface edit mgmt  show

If you see the line "set dedicated-to management" then the management is out of band, and it is like if the VRF of this interface is not in the same as other firewall interfaces, and you can't route create policies with this interface.

Having this config is ok, you can leave it as is, but if it doesn't comply with your design requirement then you just need to disable "dedicated-to management" for this interface.

New Contributor

Hello AEK,


yes i confirm that this interface is dedicated to management .

so what makes the acessing that interface impossible might be other thing oether than  the Fortigate ? 


Hi Mayoub

Check if there is a firewall policy that allows you access mgmt IP through VPN.

It should be defined like this:

  • src intf: VPN tunnel interface
  • dst intf: LAN
  • src: VPN IP pool
  • dst: mgmt IP
  • service: https, ssh, ping

Once you check this, try access mgmt from VPN then see what's happening in traffic logs.

You can also see how traffic is flowing:

diag sniffer packet any 'host <mgmt-IP> and host <vpn-vlient-IP> and port 443' 4


New Contributor




yes i do have a policy that authorises the traffic .

by doing the sniff is how i noticed that the trrafic is going to lan before mgmt port, do i have the following :


vpn in

lan out

mgmt in

mgmt out

lan in

vpn out



i also have when debugging some "no session matched" errors for the reply direction packets.







Hi @Mayoub,


Do you have policy route or SDWAN rule configured to route traffic via LAN instead of mgmt?




Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors