Hi all,
My first post here!
I am trying to deploy FGT (V7.0.8) on two sites, each FGT with its own dedicated mgmt interface, and have HTTPS access over an IPSEC tunnel, diagram below:
From the local site, each admin pc can access the local FGT web interface, the issue starts when the admin at pc A tries to access the FGT-B web interface tunnel and when the admin at pc B tries to access the FGT-A web interface.
mgmt interface configuration of each FGT below:
FGT-A:
config system interface
edit "mgmt"
set vdom "root"
set ip 10.206.250.2 255.255.255.0
set allowaccess ping https ssh fgfm fabric
set type physical
set dedicated-to management
set snmp-index 2
set trust-ip-1 10.21.31.0 255.255.255.0
set trust-ip-2 10.11.32.0 255.255.255.0
next
FGT-B:
config system interface
edit "mgmt"
set vdom "root"
set ip 10.205.250.2 255.255.255.0
set allowaccess ping https ssh fgfm fabric
set type physical
set dedicated-to management
set snmp-index 2
set trust-ip-1 10.21.31.0 255.255.255.0
set trust-ip-2 10.11.32.0 255.255.255.0
next
Diagnose debug flow from FGT-A when admin B tries to access FGT-A icmp/ping
2022-10-20 18:59:49 id=20085 trace_id=1505 func=print_pkt_detail line=5871 msg="vd-root:0 received a packet(proto=1, 10.21.31.53:2->10.206.250.2:2048) tun_id=169.254.111.1 from vpn_mpls_0. type=8, code=0, id=2, seq=7741."
2022-10-20 18:59:49 id=20085 trace_id=1505 func=init_ip_session_common line=6050 msg="allocate a new session-01a534dd, tun_id=169.254.111.1"
2022-10-20 18:59:49 id=20085 trace_id=1505 func=vf_ip_route_input_common line=2605 msg="find a route: flag=80000000 gw-10.206.250.2 via root"
2022-10-20 18:59:49 id=20085 trace_id=1505 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"
2022-10-20 18:59:54 id=20085 trace_id=1506 func=print_pkt_detail line=5871 msg="vd-root:0 received a packet(proto=1, 10.21.31.53:2->10.206.250.2:2048) tun_id=169.254.111.1 from vpn_mpls_0. type=8, code=0, id=2, seq=7746."
2022-10-20 18:59:54 id=20085 trace_id=1506 func=init_ip_session_common line=6050 msg="allocate a new session-01a535df, tun_id=169.254.111.1"
2022-10-20 18:59:54 id=20085 trace_id=1506 func=vf_ip_route_input_common line=2605 msg="find a route: flag=80000000 gw-10.206.250.2 via root"
2022-10-20 18:59:54 id=20085 trace_id=1506 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"
My understanding is tha traffic was denied by default policy, so I tried to create a firewall policy as below, but I can't set mgmt interface as destinf.
edit 0
set name "overlay_to_mgmt"
set srcintf "overlay"
set dstintf "mgmt"
set action accept
set srcaddr "x"
set dstaddr "y"
set schedule "always"
set service "ALL"
set logtraffic all
The error msg:
set dstintf "mgmt"
node_check_object fail! for name mgmt
value parse error before 'mgmt'
Command fail. Return code -651
I believe that there is no way to allow this https access to dedicated mgmt interface from source address incoming from a remote site over IPSEC, am I correct?
some related docs:
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi DiegoSouza,
Yes, this looks to be the case.
I would suggest trying this with reserved management interfaces.
Thank you.
Shahan
Hi DiegoSouza,
How does your HA config look like?
Article that will help: https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface/ta-p/1901...
From the debug flows you shared, it appears there is no policy between IPsec tunnel and mgmt interface:
2022-10-20 18:59:54 id=20085 trace_id=1506 func=print_pkt_detail line=5871 msg="vd-root:0 received a packet(proto=1, 10.21.31.53:2->10.206.250.2:2048) tun_id=169.254.111.1 from vpn_mpls_0. type=8, code=0, id=2, seq=7746."
2022-10-20 18:59:54 id=20085 trace_id=1506 func=init_ip_session_common line=6050 msg="allocate a new session-01a535df, tun_id=169.254.111.1"
2022-10-20 18:59:54 id=20085 trace_id=1506 func=vf_ip_route_input_common line=2605 msg="find a route: flag=80000000 gw-10.206.250.2 via root"
2022-10-20 18:59:54 id=20085 trace_id=1506 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"
Please configure a policy with source interface as vpn_mpls and destination interface as mgmt.
Thank you.
Shahan Agha
Hi Sagha,
Thanks for the reply!
Here is the HA config:
FGT-A:
config system ha
set group-id 11
set group-name "***"
set mode a-p
set hbdev "ha1" 50 "ha2" 100
set session-pickup enable
set session-pickup-delay enable
set override disable
set priority 192
set monitor "lacp-external" "lacp-internal"
end
FGT-B:
config system ha
set group-id 21
set group-name "***"
set mode a-p
set hbdev "ha1" 50 "ha2" 100
set session-pickup enable
set session-pickup-delay enable
set override disable
set priority 192
set monitor "lacp-internal" "lacp-external"
end
When I try to create a new firewall policy with mgmt as the destination interface I receive the error below, the result is the same on both FGTs, I believe this is normal behavior because mgmt interface is configured as dedicated management:
Error:
mgmt interfaces config
FGT-A:
config system interface
edit "mgmt"
set vdom "root"
set management-ip 10.206.250.11 255.255.255.0
set ip 10.206.250.2 255.255.255.0
set allowaccess ping https ssh fgfm fabric
set type physical
set dedicated-to management
set snmp-index 2
set trust-ip-1 10.21.31.0 255.255.255.0
set trust-ip-2 10.11.32.0 255.255.255.0
next
end
FGT-B:
config system interface
edit "mgmt"
set vdom "root"
set management-ip 10.205.250.11 255.255.255.0
set ip 10.205.250.2 255.255.255.0
set allowaccess ping https ssh fgfm fabric
set type physical
set dedicated-to management
set snmp-index 2
set trust-ip-1 10.21.31.0 255.255.255.0
set trust-ip-2 10.11.32.0 255.255.255.0
next
end
the vpn_mpls_o is member of the overlay sdwan zone, btw sdwan zone and members configuration below (identical config on both FGT):
config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
edit "SASE"
next
edit "underlay_isp"
set service-sla-tie-break fib-best-match
next
edit "underlay_broadband"
next
edit "overlay"
next
end
config members
edit 4
set interface "inet_4"
set zone "underlay_broadband"
set cost 250
next
edit 1
set interface "inet_1"
set zone "underlay_isp"
next
edit 2
set interface "inet_2"
set zone "underlay_isp"
next
edit 3
set interface "inet_3"
set zone "underlay_isp"
next
edit 5
set interface "vpn_mpls_0"
set zone "overlay"
next
edit 6
set interface "vpn_inet_2"
set zone "overlay"
next
edit 7
set interface "vpn_inet_3"
set zone "overlay"
next
end
Hi DiegoSouza,
Yes, this looks to be the case.
I would suggest trying this with reserved management interfaces.
Thank you.
Shahan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.