Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- MGMT Interface on "Internal"
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MGMT Interface on "Internal"
Stupid question that I've been beating my head against. My new FS (1048E running v6.4.2) has a dedicated mgmt interface but I don't want to use it and would rather have mgmt allowed on any interface that is up/connected to the network and essentially has a management IP address assigned globally. On my old switches I'd assign an IP address to a VLAN and allow mgmt protocols. Pretty simple. I've followed the instructions in the admin guide for both "models with dedicated" and models without but am stumbling at the part where after configuring the "internal" interface (ip address, allowed access, etc) it wants me to "create a new interface to be used for management" and assign an address to it...which it won't allow because the mgmt address is in use by the "internal" interface.
config system interface edit internal set ip 172.16.1.50/24 set allowaccess ping https ssh set type physical set secondary-IP enable config secondaryip edit <id> set ip <IP_address_and_netmask> set allowaccess <access_types> next end
next edit MGMT1 set ip 172.16.1.50/24 set allowaccess ping https ssh set interface internal set vlanid 1 set secondary-IP enable config secondaryip edit <id> set ip <IP_address_and_netmask> set allowaccess <access_types> end end
that results in the obvious error of a duplicate IP. I can't seem to turn it up unless it's on the dedicated mgmt port which I don't want. Any suggestions would be appreciated.
-Mike
-Mike
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a new interface and assign to the VLAN you want it on:
edit 1
set ip x.x.x.x
set allowaccess https ping
set vlanid x
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
brycemd wrote:Create a new interface and assign to the VLAN you want it on:
edit 1
set ip x.x.x.x
set allowaccess https ping
set vlanid x
I've done that and still nothing assuming the new interface has the IP I want to use for the mgmt interface. FS1 # config system interface FS1 (interface) # edit name Name. internal static 0.0.0.0 0.0.0.0 up physical mgmt static 0.0.0.0 0.0.0.0 up physical netmgmt static 172.16.1.50 255.255.255.0 up vlan
-Mike
-Mike
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not really sure, that's what I always do and I've never had an issue with it.
Are you attempting to access from same VLAN? Maybe missing a gateway?
I guess can you show the config for netmgmt
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do have a default static route set with the device as "any" (or unset in the cli). Didn't seem to make a difference if I force it to "internal" or "netmgmt".
config router static edit 1 set bfd disable set blackhole disable set comment '' set device '' set distance 10 set dst 0.0.0.0 0.0.0.0 set dynamic-gateway disable set gateway 172.16.1.1 set status enable next end
Here is the full config for "netmgmt"
edit "netmgmt" set mode static set dhcp-relay-service disable set ip 172.16.1.50 255.255.255.0 set allowaccess ping https ssh set bfd disable set bfd-desired-min-tx 250 set bfd-detect-mult 3 set bfd-required-min-rx 250 set icmp-redirect enable set src-check disable set status up set type vlan set description '' set alias '' set vrrp-virtual-mac disable set secondary-IP disable set snmp-index 56 config ipv6 set ip6-address ::/0 set ip6-mode static unset ip6-allowaccess set autoconf disable set ip6-unknown-mcast-to-cpu disable set dhcp6-information-request disable set ip6-send-adv disable set vrrp-virtual-mac6 disable set vrip6_link_local :: end set vlanid 1 set interface "internal" next
-Mike
-Mike
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming VLAN 1 is the VLAN for 172.16.1.x, it looks correct to me.
You can try setting as DHCP on netmgmt to see if it has full network communication(If there is a DHCP server for the VLAN). It's ability to get DHCP or not should at least point you in the right direction.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm starting to think it's the physical connection to my network. I have the 1048E set up temporarily in my office with a fiber-to-copper converter connected to port1 on the switch. I get link lights (with matching transceivers) and the wall jack/port back to my network is set properly but no apparent connectivity if when I try to set up the switch to manage through any ethernet port. When I plug the wall jack via copper in to the native rj45 mgmt interface on the switch and configure it back to default, it works.
I'm going to round up another fiber to copper converter and test again with it.
-Mike
-Mike
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you been able to resolve this issue yet.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SecurityPlus wrote:No, not yet. I ordered a replacement fiber to copper converter and it should be getting here today. I connect it to port 1 on the 1048e and make the config changes and see what happens.
Have you been able to resolve this issue yet.
-Mike
-Mike
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
all is working as normal. Not sure if it was the media converter or something else. Interesting to note that the 1048E worked with just applying the IP address (in this case 172.16.1.50) to the "internal" interface and allowing access protocols. The two 448Ds I also just received worked with adding a new interface and assigning their respective IPs plus the vlanid to the interface.
-Mike
-Mike
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,634 -
FortiClient
1,745 -
5.2
801 -
FortiManager
721 -
5.4
639 -
FortiAnalyzer
555 -
FortiSwitch
472 -
FortiAP
465 -
FortiClient EMS
424 -
6.0
416 -
5.6
362 -
FortiMail
315 -
6.2
251 -
SSL-VPN
237 -
FortiAuthenticator v5.5
234 -
Fortiweb
205 -
IPsec
204 -
5.0
196 -
FortiNAC
186 -
FortiGuard
139 -
6.4
128 -
SD-WAN
113 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiAuthenticator
97 -
FortiCloud Products
96 -
FortiToken
89 -
Firewall policy
80 -
Customer Service
79 -
Wireless Controller
78 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
48 -
FortiExtender
45 -
FortiSandbox
44 -
Routing
44 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
Authentication
37 -
SAML
36 -
FortiGate v5.4
35 -
NAT
35 -
FortiSwitch v6.4
34 -
Certificate
34 -
RADIUS
32 -
SSO
31 -
Interface
31 -
FortiLink
29 -
FortiConnect
28 -
VDOM
28 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
FortiGate v5.2
24 -
Logging
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Automation
14 -
Static route
14 -
System settings
14 -
IP address management - IPAM
14 -
SNMP
13 -
Web application firewall profile
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Proxy policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiGate-VM
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1692 | |
| 1087 | |
| 752 | |
| 446 | |
| 228 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.