Hi all,
I have setup a new Fortigate 1101E cluster with FortiOS 6.2.10. Now I'm trying to configure radius authentication for administrators but when I try to set as source-ip the IP of the MGMT interface I get this error:
x.x.x.x is not valid source ip.
node_check_object fail! for source-ip x.x.x.x
value parse error before '10.119.254.120'
Command fail. Return code -8
What am I doing wrong?
Thanks,
M.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Can you please check if you have enabled management interface under HA configuration?
If so, that specific interface will be part of HA mgmt vdom which is not related to the normal vdom?
Pleas enable ha direct:
But if you enable it traffic will be forwarded to the gateway mentioned in the managemeent interface configuration under HA, please make sure it can reach radius server through that gateway.
Hello M.
Fortigate will allow setting source-ip to an interface that belongs to management Vdom only since its responsible for all management traffic like SNMP, NTP, fortiguard, etc.
If the firewall is not in Multi-vdom mode, then the interface should be in root vdom .
Then You would be able to set the source-IP to the respected Interface.
can you share the output of :
show system interface
get sys status
Hello vsahu,
below the output:
config system interface
edit "ha"
set vdom "root"
set type physical
set snmp-index 1
next
edit "mgmt"
set ip 10.x.x.x 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
set dedicated-to management
set role lan
set snmp-index 2
next
edit "agg,1"
set vdom "root"
set allowaccess ping
set type aggregate
set member "portx" "portx"
set lldp-transmission enable
set role lan
set snmp-index 37
next
edit "WAN"
set vdom "root"
set ip x.X.x.x 255.255.255.248
set role wan
set snmp-index 38
set interface "agg,1"
set vlanid x
next
edit "XXX"
set vdom "root"
set allowaccess ping
set type tunnel
set snmp-index 39
set interface "WAN"
next
edit "XXX"
set vdom "root"
set allowaccess ping
set type tunnel
set snmp-index 40
set interface "WAN"
next
end
get system status
Version: FortiGate-300E v6.2.10,build1263,211103 (GA)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 20.00319(2022-05-18 23:50)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
Serial-Number:
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Botnet DB: 1.00000(2012-05-28 22:51)
BIOS version: 05000007
System Part-Number: P21593-04
Log hard disk: Not available
Hostname:
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: a-p, master
Cluster uptime: 27 days, 4 hours, 57 minutes, 15 seconds
Cluster state change time: 2022-04-29 14:53:24
Branch point: 1263
Release Version Information: GA
FortiOS x86-64: Yes
System time: Tue May 24 15:35:29 2022
Hi,
The mgmt interface seems to be used for dedicated management access. You might have this configured under 'config system ha'. When you add mgmt interface for ha dedicated management, this interface is not part of any vdom and bound to vsys_hamgmt. If you check mgmt interface setting shared, you do not see any vdom set as you see for the other interfaces. Ideally, you set the source ip if you want to use another interface other than mgmt.
Hi,
The right way of achieving your goal is to configure "ha-direct" option under the HA settings via cli.
When ha-direct is enabled, FortiGate uses the HA management interface for sending log messages to FortiAnalyzer, remote syslog servers, sending SNMP trap, access to remote authentication servers (for example, RADIUS, LDAP) and connecting to FortiManager / FortiSandbox / FortiCloud.
Documentation that describes the behavior of that command: https://docs.fortinet.com/document/fortigate/6.4.7/administration-guide/313152/out-of-band-managemen...
Ahmad
Also keep in mind
When ha-direct is enabled, source ip may not work.
We recommend to unset all log-related, netflow and sflow source ip.
By selecting to continue, all source ip will be unset.
Regards,
vsahu
Can you please check if you have enabled management interface under HA configuration?
If so, that specific interface will be part of HA mgmt vdom which is not related to the normal vdom?
Pleas enable ha direct:
But if you enable it traffic will be forwarded to the gateway mentioned in the managemeent interface configuration under HA, please make sure it can reach radius server through that gateway.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1082 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.