How do we set a default gateway for management interface that wont interfere with system routing table when VDOM's are enabled. I don't see dedicated-mgmt. option.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can place the management port into a separate VDOM of its own. Then make this VDOM the management VDOM. This way:
a. The default gateway of the mgmt VDOM won't interfere with the system's routing table and
b. The mgmt traffic won't interfere with the real data traffic.
I would not waste a vdom for this imho
If you want OOB management and have aux or mgt interface just configured these for mgmt use
e.g
config sys interface
edit "mgmt"
set ip 11.1.1.1 255.255.255.0
set allowaccess ping https ssh snmp fgfm
set type physical
set dedicated-to management
set description "MANAGEMENT OOB ACCES"
set device-identification enable
next
end
Now under the HA cfg
config sys ha
set ha-mgmt-status enable
set ha-mgmt-interface "mgmt"
set ha-mgmt-interface-gateway 11.1.1.254
end
That interface will not be in any vdom RIB table.
PCNSE
NSE
StrongSwan
The problem is that if the management interface is in the same subnet as the traffic interfaces, it would interfere with the routing and possibly send some traffic out the management interface instead of an accelerated interface. The set dedicated to management only worked if the ip was in a different subnet. So it was not possible to have the FGT processing traffic at 192.168.1.10 and have out of band management only interface at 192.168.1.12, for example.
I opened a case about this some years ago running some version of 5.2.x and was told this was by design.
I was told (not by fortinet) it has been tweaked in more recent firmware where there is a quasi-hidden vdom that separates the routing of dedicated management interfaces and doesn't eat a vdom license, but my configurations already include a separate management only vdom so i can't readily test it.
CISSP, NSE4
Hello,
config system settings set allow-subnet-overlap enable
Regards,
HA
So looks like I cannot configure mgmt. interface with an overlapping IP address without a separate mgmt. vdom ?
the paused quasi vdom is known as dmg-vdom btw. You have a interesting challenge, but my 1st question is what do you need the mgmt interface in the same network as non-mgmt interfaces?
I just check a new FGT3240C deployment that we have going on, and we have the mgmt interface address in the same range of a VDOM interface btw and that interface is the GW for the mgt traffic.
Not how I would design it but it is what it is ;)
ken
PCNSE
NSE
StrongSwan
Just a small correction /24 subnet about to use for mgmt. interface is non-overlapping and it is a standalone firewall(vdom enabled)so I cannot use ha-mgmt.
Looks like system dedicated-mgmt. auto disables after we enable vdoms.
FYI
If your standalone than HA mgmt does not apply as you figured out. So in your case you want to use mgmt interface that are dedicated and not part of a VDOM per-se
Why don't you set mode A-P in HA and just ignore having a "peer cluster"
Than enable the ha-mgmt
e.g
config sys ha
set group-name "CLUSTER1"
set mode a-p
set password mybadA$$P@$$w0rd
set ha-mgmt-status enable
set ha-mgmt-interface "mgmt"
set ha-mgmt-interface-gateway 172.17.1.1
set priority 250
set sync-config enable
set encryption enable
end
PCNSE
NSE
StrongSwan
Hi Emnoc,
i have a question please. in a ha Env, in your config proposition : what 11.1.1.254 represent ( switch which mgmt is connected?) or ?
"config sys ha set ha-mgmt-status enable set ha-mgmt-interface "mgmt" set ha-mgmt-interface-gateway 11.1.1.254 end"
we have a 300E a-p cluster in 5.6.4.
we're triying to configure access to cluster through a Virtual IP address and both individual IP of each cluster unit.
the management subnet is 10.10.10.0/26
the switch wich the 3 ports (mgmt,port2(unit1) port2(unit2)) is 10.10.10.10/26
we reserved the IP 10.10.10.1/26 for "mgmt" port for the access to the cluster.
we reserved port2 for dedicated access for each unit with IP 10.10.10.2/26 ( unit 1) and 10.10.10.3/26 for unit 2.
in config sys ha, we've enabled the option "management interface reservation" and set the default gateway to 10.10.10.1 (the IP of the mgmt port). not sure about the Gateway
IN CLI (extract from full config)
set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port2" set dst 0.0.0.0 0.0.0.0 set gateway 10.10.10.1 set gateway6 :: next end
we are unable to access the second unit, only the master O.o
it is a correct way to configure and individual cluster unit access?
i've followed the online help but the didn't specify what the default gateway refered ....
thanks in advance for your help.
Phi.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.