Hi. I have a FortiGate 100F which I have configured for SSL-VPN in "Tunnel-Mode" (also configured a policy) > which is working. Now I would like to set up "Split Tunneling" > I have enabled it and set up the routing addresses. Now the issue is, that I can only connect to the "MGMT-IP-Address" if I set the outgoing-interface to "any". I have attached a screenshot of the VPN policy. If it is configured like in the screenshot, then I'm able to connect to the "MGMT-IP-Address" for remote managment over VPN. "Security Fabric" marks this as "failed".
But I can't select "MGMT" as interface in the policy rules, it is not appearing in the list of interfaces. If add all available interfaces (execpt "any") to the "outgoing interface" then I'm not able to connect to the "MGMT-IP-Address" with VPN.
For the MGMT-IP-Address I have created a "firewall address", which I have added to the "routing addresses":
config firewall address edit "VPN-MGMT" set uuid e79017f6-4b1f-51ea-b3bb-a7dd0f696a51 set subnet 192.168.99.0 255.255.255.0 next end
As explained, it is working with "outgoing interface = any" of the policy - but the "Security Fabric" marks "failed" and I can't set up this Interface/IP on the outgoing interface. Can I ignore the Security Fabric for this case? I suppose not, but no I'm wondering how I can connect to the "MGMT-IP-Address".
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
well hm the dedicated-to-mgmt is a fortios factory default setting. If you don't nbeed a dedicated mgmt interface (like we don't need one because we have a mgmtm vlan for this purpose) you could unset this and use the port for other purposes. It then behaves like any other port does.
For your policy you would have to set src to the subnet that is on your tunnel. You should have configured a client ip range on that tunnel. So traffic from client will come in with an ip out of this range.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
hm is that mgmt interface part of a zone or trunk or switch? In this cae it is not shown anymore in the selection drop down. You would have to use zone/trunk/switch interface then instead.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
No, non of these three. There was only enabled "DCHP", I have disabled it now. Verifing the GUI > Ref = 0.
hm afair it could also be due to the role the interface is set to have. The Role also affects some INterface feature.
is your MGMT dedicated to role management or similar?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Can one still use the dedicated Mng interfaces for normal traffic, think that was removed or not?
You should have created a Management VDOM and assign the dedicated management interface to that vdom only
hm never tried to since I don't need no dedicated management interface. We're using vlans for that...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
It looks like is not appearing because of the "dedicated-to management" setting. It is described there: https://kb.fortinet.com/kb/documentLink.do?externalID=FD37035
t prevents to create Firewall policy using an interface configured with this setting.
The site also shows that it should appear as connected route in the routing table - but this entry is missing (enabling, disabling the "dedicated-to management" does not help).
The interface is in the "role = LAN"
edit "mgmt" set vdom "root" set ip 192.168.99.99 255.255.255.0 set allowaccess ping https fgfm set type physical set dedicated-to management set role lan set snmp-index 2 next
BUT no I have found out that this is not related to "Split Tunneling". If I disable the "Split Tunneling" the same issue appears > I can only connect to MGMT-Interface if policy is set to "any". So I have to decide If if ignore the warning of the "Security Fabric" or I disable the "dedicated-to management"?? But what is the drawback if I disable the "dedicated-to management"?
well hm the dedicated-to-mgmt is a fortios factory default setting. If you don't nbeed a dedicated mgmt interface (like we don't need one because we have a mgmtm vlan for this purpose) you could unset this and use the port for other purposes. It then behaves like any other port does.
For your policy you would have to set src to the subnet that is on your tunnel. You should have configured a client ip range on that tunnel. So traffic from client will come in with an ip out of this range.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thank you for your anwser. I had before only a FortiGate 60D without a dedicated management port, and now i though this MGMT-Interface is fixed and I can only manage the FortiGate with this port/ip-address.
Because you have written that you are using a mgmt-vlan and I can use the MGMT interface as the others internal interfaces, i realized that I'm not tied to the MGMT-Interface... Then I have seen that this was done on the 60D with the "FMG-Access"...
So in this case I can create also a MGMT-VLAN, and then I can adjust the policy as needed.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.