Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
petrosk
New Contributor II

Created on ‎08-11-2025 06:50 PM Edited on ‎08-12-2025 12:23 PM

I cannot access the Fortigate 200F MGMT port IP address

I have a Fortinet 200F hardware controller setup in an High Availability Cluster.  The version is v7.2.8 build1639 (Mature).

 

Background:

 

- The dedicated MGMT Interface IP address is X.X.30.254. IP address.

- The FortiGate LAN interface is using a X.X.99.X IP address.

- My workstation is using X.X.210.X IP address.

 

Problem Description:

 

I can login to the FortiGate FW Web interface just fine using the assigned LAN IP Address (X.X.99.X) from my workstation (X.X.210.X) ; but, I cannot get a web page or ping the IP address assigned to the FortiGate MGMT Interface (X.X.30.354) from my workstation. 

 

I can access and ping other devices on the same X.X.30.X network from my workstation; hence the problem is specific to the X.X.30.254 Interface.  By the way other devices on the same subnet (X.X.210.X) have the same problem with the FortiGate MGMT Interface address (X.X.30.254).

 

I have set the following configuration on the FortiGate "MGMT physical Interface" 

 

MGMT_Config_II.png

 

My workstation is on 1 of the 3 trusted host subnets that I have configured under the Dedicated port section.  We can continue to work with the FortiGate Web UI by using the LAN Interface IP address (X.X.99.X) but I want to understand how to get the MGMT Interface IP address to be accessible from our corporate network.

 

Question1:  Can we use both the LAN Interface and the MGMT Interface to access the web internface?

 

Question2:  Is the MGMT Interface supposed to only be used for Out of Band communicaiton?  Such as not to access from the corporate network?  That just sounds silly to me after typing this question.

 

I just discovered that if I setup a laptop on the X.X.30.X network and I browse to the MGMT IP Interface Address (X.X.30.254) then that works.  Hence the problem is specific with the X.X.210.X network.

 

If I try to ping the FG - MGMT IP address from the Default gateway Router there are ping replies to the MGMT IP address.  Equally important, I can ping other devices from the router and from my workstation that are also on the same subnet (X.X.30.X ).  I just cannot access the Fortigate MGMT IP Address from the corporate network. Hence the problem appears to be specific to the FortiGate MGT Interface Ip address.  

 

Since the Dedicated Port setting is enabled I do not see the MGMT Interface as an option for Firewall policies.  

  

When I run a packet capture from my workstation I just see packets being sent from my workstation being sent to the MGMT Interface IP address; but, no replies back.  No ECHO Ping replies or TCP - ACK packets from the Fortigate.

 

Ideas, suggestions.... ?

Peter Kafkas
Peter Kafkas
324
0 Kudos
1 Solution
AEK
SuperUser
SuperUser

Created on ‎08-12-2025 12:26 PM

  • Q1: Yes you can use both, but it is not required. You can still access FGT WebUI from only the LAN interface if you want
  • Q2: You can do whatever you want with management interface and it will work, but it has less performance and will use your CPU if you use it as traffic interface. So I think MGMT interface is better used as dedicated out of band as you did
  • Regarding your issue, did you configure a gateway for your MGMT interface (in static routes)
AEK

View solution in original post

AEK
223
0 Kudos
3 REPLIES 3
AEK
SuperUser
SuperUser

Created on ‎08-12-2025 12:26 PM

  • Q1: Yes you can use both, but it is not required. You can still access FGT WebUI from only the LAN interface if you want
  • Q2: You can do whatever you want with management interface and it will work, but it has less performance and will use your CPU if you use it as traffic interface. So I think MGMT interface is better used as dedicated out of band as you did
  • Regarding your issue, did you configure a gateway for your MGMT interface (in static routes)
AEK
AEK
224
0 Kudos
petrosk
New Contributor II
In response to AEK

Created on ‎08-12-2025 12:59 PM

The Static route was the problem. 

 

Full disclosure, I did not setup this FortiGate 200F the previous administrator did and I heard he was very smart; but, he did not believe in documentation. 

 

There was a Static route on the FortiGate to a X.X.210.X address to be routed to the MGMT Physical interface.  That specific address X.X.210.X is no longer being used so, to test, I put my Computer IP address (X.X.210.X) in the rule instead and then... I was able to access the FortiGate Web Portal from the designated IP address X.X.30.254.     

 

Apparently, the static router is not needed if you needed if you are already on the same subnet as the MGMT Interface IP address (X.X.30.X)

Peter Kafkas
Peter Kafkas
209
petrosk
New Contributor II

Created on ‎08-12-2025 12:26 PM Edited on ‎08-12-2025 01:05 PM

I have already tried to remove the trusted host Subnet X.X.210.X/26 and then we re-added it; but that did not make a difference.  My next steps are to analyse the packet trace s and to restart the firewall if we need to.

Peter Kafkas
Peter Kafkas
223
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.