Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- FGCP Management IP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FGCP Management IP
Dear All,
When running FGCP is there any way to maintain a separate MGT IP on the active and passive FGTs?
I can see that the data-plane interfaces on the units need layer two reachability because in the event of a failover the IP and MAC will float to the standby unit (and GARP will take place). It seems a bit awkward to have the same MGT IP float between the boxes because you wouldn't get any direct SSH/SNMP/HTTPS reachability of the standby for monitoring purposes.
Additionally, if one used dynamic routing on the FGT, wouldn't you need to peer with the virtual IP on the upstream switch? Again, this seems a bit awkward compared with FGSP.
Many thanks again for any insight.
James.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe this is what you're looking for?
https://kb.fortinet.com/kb/documentLink.do?externalID=FD32214
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! I deleted all references to my existing "mgmt1" interface then applied the commands you referenced. Now I can SSH individually to each. This is progress, but may I ask some follow-on questions?
config system ha
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "mgmt1"
set dst 10.0.0.254
next
end
end
DeviceA:
config system interface
edit mgmt1
set ip 10.0.0.1 255.255.255.0
set allowaccess ping ssh fgfm https snmp
set type physical
set dedicated-to-management
next
end
DeviceB:
config system interface
edit mgmt1
set ip 10.0.0.2 255.255.255.0
set allowaccess ping ssh fgfm https snmp
set type physical
set dedicated-to-management
next
end
1. Will this work with FMG and FAZ?
2. Will on-box agents like NTP and SNMP-Traps know to use this MGT path?
3. I used to keep mgmt1 in the a vdom named root and set a local-in policy. Is this no longer possible? I notice that I can no longer do a "set vdom root" under the mgmt1 interface? Is there anyway to secure the management?
Kind regards
James.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting questions, and I'm afraid I don't know all the answers. Perhaps one of the other more experienced admins will weigh in, but I can say this:
[ol]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, guys,
I am also facing this problem ( I am using Forti600E with V6.4.4 :(
When I configured the "mgmt" port, got the following problem:
Forti600E_04 # config system ha Forti600E_04 (ha) # set ha-mgmt-status enable Forti600E_04 (ha) # config ha-mgmt-interfaces Forti600E_04 (ha-mgmt-interfaces) # edit 1 new entry '1' added
Forti600E_04 (1) # set interface "mgmt" node_check_object fail! for interface mgmt
value parse error before 'mgmt' Command fail. Return code -23
Forti600E_04 (1) #
The command "set dedicated-to management"also can not be applied to this physical interface "mgmt".
May I know if the "mgmt1" is virtual interface or what else ?
many thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Had a similar problem last night. You need to go through every vdom and delete references to the interface giving the error (mgmt). It's a pain, but the GUI can show you show many references are left. Check out this post (near the end) which show the same problem and solution: [link]https://forum.fortinet.com/tm.aspx?m=126650[/link]
Also, after "set interface " enter the ? (question mark) to see what is in the list. On my model it's mgmt1 or mgmt2. If you have just mgmt, it might be a virtual IF created by someone, you can check by doing a "show" under "config system interface".
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you think I also need ha-direct to get SNMP, NTP etc working?
config system ha
set ha-direct enable
end
There some interesting discussion about the reserved-management interface being added to a hidden vdom named "vsys_ha". I wonder if the local-in policy can be tweaked inside this?
Unfortunately the whole MGT configuration with FGCP is a bit messy. It's a shame because the "HA Reserved Management" really would solve a lot of problems if you could only secure it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update. Our Fortinet SE provided some helpful guidance on this.
# Indicate the managementVDOM here ('root' by default):
config system global
set management-vdom root
end
# Your ha-reserved-management IP can then be secured using local-in policies in the indicated vdom with an extra line on each policy
config vdom
edit root
config firewall local-in-policy
edit 1
set ha-mgmt-intf-only enable <- applies the local-in poliy to the ha-reserved-management ip
set intf "any"
set srcaddr "all"
set dstaddr "all"
set service "SSH"
set schedule "always"
set action accept
next
edit 9
set ha-mgmt-intf-only enable <- applies the local-in poliy to the ha-reserved-management ip
set intf "any"
set srcaddr "all"
set dstaddr "all"
set service "ALL"
set schedule "always"
set action deny
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes it's possible to achieve that, you can use the "set management-ip" command to set a different ip on each cluster node.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/349060/in-band-management
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another important discovery is that FMG doesn't work with the ha-reserved-management IP. It will add the device correctly, but once you install a policy the installation gets stuck at 35% and the FGFM connection will drop.
There is a KB mentioning this, but not suggesting a solution:
https://kb.fortinet.com/kb/viewContent.do?externalId=FD37209&sliceId=1
It seems that another interface can be used for the FMG. If anyone has tried this could you let me know please?
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,683 -
FortiClient
1,756 -
5.2
801 -
FortiManager
727 -
5.4
639 -
FortiAnalyzer
556 -
FortiSwitch
474 -
FortiAP
470 -
FortiClient EMS
429 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
243 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
188 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiGateCloud
102 -
FortiAuthenticator
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
91 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
Certificate
34 -
RADIUS
33 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1709 | |
| 1093 | |
| 752 | |
| 446 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.