Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DiegoSouza
New Contributor

Fortigate MGMT (dedicated) access over IPSEC

Hi all,

My first post here!

I am trying to deploy FGT (V7.0.8) on two sites, each FGT with its own dedicated mgmt interface, and have HTTPS access over an IPSEC tunnel, diagram below:

DiegoSouza_1-1666295054247.png


From the local site, each admin pc can access the local FGT web interface, the issue starts when the admin at pc A tries to access the FGT-B web interface tunnel and when the admin at pc B tries to access the FGT-A web interface.

 

mgmt interface configuration of each FGT below:
FGT-A:

 

config system interface
edit "mgmt"
set vdom "root"
set ip 10.206.250.2 255.255.255.0
set allowaccess ping https ssh fgfm fabric
set type physical
set dedicated-to management
set snmp-index 2
set trust-ip-1 10.21.31.0 255.255.255.0
set trust-ip-2 10.11.32.0 255.255.255.0
next

 


FGT-B:

 

config system interface
edit "mgmt"
set vdom "root"
set ip 10.205.250.2 255.255.255.0
set allowaccess ping https ssh fgfm fabric
set type physical
set dedicated-to management
set snmp-index 2
set trust-ip-1 10.21.31.0 255.255.255.0
set trust-ip-2 10.11.32.0 255.255.255.0
next

 

 

Diagnose debug flow from FGT-A when admin B tries to access FGT-A icmp/ping

 

 

2022-10-20 18:59:49 id=20085 trace_id=1505 func=print_pkt_detail line=5871 msg="vd-root:0 received a packet(proto=1, 10.21.31.53:2->10.206.250.2:2048) tun_id=169.254.111.1 from vpn_mpls_0. type=8, code=0, id=2, seq=7741."
2022-10-20 18:59:49 id=20085 trace_id=1505 func=init_ip_session_common line=6050 msg="allocate a new session-01a534dd, tun_id=169.254.111.1"
2022-10-20 18:59:49 id=20085 trace_id=1505 func=vf_ip_route_input_common line=2605 msg="find a route: flag=80000000 gw-10.206.250.2 via root"
2022-10-20 18:59:49 id=20085 trace_id=1505 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"
2022-10-20 18:59:54 id=20085 trace_id=1506 func=print_pkt_detail line=5871 msg="vd-root:0 received a packet(proto=1, 10.21.31.53:2->10.206.250.2:2048) tun_id=169.254.111.1 from vpn_mpls_0. type=8, code=0, id=2, seq=7746."
2022-10-20 18:59:54 id=20085 trace_id=1506 func=init_ip_session_common line=6050 msg="allocate a new session-01a535df, tun_id=169.254.111.1"
2022-10-20 18:59:54 id=20085 trace_id=1506 func=vf_ip_route_input_common line=2605 msg="find a route: flag=80000000 gw-10.206.250.2 via root"
2022-10-20 18:59:54 id=20085 trace_id=1506 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"

 

 


My understanding is tha traffic was denied by default policy, so I tried to create a firewall policy as below, but I can't set mgmt interface as destinf.

 

edit 0
set name "overlay_to_mgmt"
set srcintf "overlay"
set dstintf "mgmt"
set action accept
set srcaddr "x"
set dstaddr "y"
set schedule "always"
set service "ALL"
set logtraffic all

 

The error msg:
set dstintf "mgmt"
node_check_object fail! for name mgmt

value parse error before 'mgmt'
Command fail. Return code -651


I believe that there is no way to allow this https access to dedicated mgmt interface from source address incoming from a remote site over IPSEC, am I correct?

 

some related docs:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubles-accessing-management-access-throu...

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-dedicate-an-interface-to-managemen...

 

Diego
Diego
1 Solution
sagha

Hi DiegoSouza, 

 

Yes, this looks to be the case. 

I would suggest trying this with reserved management interfaces. 

 

Thank you. 

Shahan

View solution in original post

3 REPLIES 3
sagha
Staff
Staff

Hi DiegoSouza, 

 

How does your HA config look like?

Article that will help: https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface/ta-p/1901...

From the debug flows you shared, it appears there is no policy between IPsec tunnel and mgmt interface: 

 

2022-10-20 18:59:54 id=20085 trace_id=1506 func=print_pkt_detail line=5871 msg="vd-root:0 received a packet(proto=1, 10.21.31.53:2->10.206.250.2:2048) tun_id=169.254.111.1 from vpn_mpls_0. type=8, code=0, id=2, seq=7746."
2022-10-20 18:59:54 id=20085 trace_id=1506 func=init_ip_session_common line=6050 msg="allocate a new session-01a535df, tun_id=169.254.111.1"
2022-10-20 18:59:54 id=20085 trace_id=1506 func=vf_ip_route_input_common line=2605 msg="find a route: flag=80000000 gw-10.206.250.2 via root"
2022-10-20 18:59:54 id=20085 trace_id=1506 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"

 

Please configure a policy with source interface as vpn_mpls and destination interface as mgmt. 

 

Thank you.

Shahan Agha

DiegoSouza

Hi Sagha,

 

Thanks for the reply!

 

Here is the HA config:
FGT-A:

config system ha
set group-id 11
set group-name "***"
set mode a-p
set hbdev "ha1" 50 "ha2" 100
set session-pickup enable
set session-pickup-delay enable
set override disable
set priority 192
set monitor "lacp-external" "lacp-internal"
end

FGT-B:

config system ha
set group-id 21
set group-name "***"
set mode a-p
set hbdev "ha1" 50 "ha2" 100
set session-pickup enable
set session-pickup-delay enable
set override disable
set priority 192
set monitor "lacp-internal" "lacp-external"
end

 

When I try to create a new firewall policy with mgmt as the destination interface I receive the error below, the result is the same on both FGTs, I believe this is normal behavior because mgmt interface is configured as dedicated management:
Error:

DiegoSouza_0-1666351640100.png

 


mgmt interfaces config
FGT-A:

config system interface
edit "mgmt"
set vdom "root"
set management-ip 10.206.250.11 255.255.255.0
set ip 10.206.250.2 255.255.255.0
set allowaccess ping https ssh fgfm fabric
set type physical
set dedicated-to management
set snmp-index 2
set trust-ip-1 10.21.31.0 255.255.255.0
set trust-ip-2 10.11.32.0 255.255.255.0
next
end

FGT-B:

config system interface
edit "mgmt"
set vdom "root"
set management-ip 10.205.250.11 255.255.255.0
set ip 10.205.250.2 255.255.255.0
set allowaccess ping https ssh fgfm fabric
set type physical
set dedicated-to management
set snmp-index 2
set trust-ip-1 10.21.31.0 255.255.255.0
set trust-ip-2 10.11.32.0 255.255.255.0
next
end

 


the vpn_mpls_o is member of the overlay sdwan zone, btw sdwan zone and members configuration below (identical config on both FGT):

config system sdwan
set status enable
config zone
edit "virtual-wan-link"
next
edit "SASE"
next
edit "underlay_isp"
set service-sla-tie-break fib-best-match
next
edit "underlay_broadband"
next
edit "overlay"
next
end
config members
edit 4
set interface "inet_4"
set zone "underlay_broadband"
set cost 250
next
edit 1
set interface "inet_1"
set zone "underlay_isp"
next
edit 2
set interface "inet_2"
set zone "underlay_isp"
next
edit 3
set interface "inet_3"
set zone "underlay_isp"
next
edit 5
set interface "vpn_mpls_0"
set zone "overlay"
next
edit 6
set interface "vpn_inet_2"
set zone "overlay"
next
edit 7
set interface "vpn_inet_3"
set zone "overlay"
next
end

 

Diego
Diego
sagha

Hi DiegoSouza, 

 

Yes, this looks to be the case. 

I would suggest trying this with reserved management interfaces. 

 

Thank you. 

Shahan

Top Kudoed Authors