Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Peddy1976
New Contributor II

Use MGMT interface as source-ip for radius

Hi all,

 

I have setup a new Fortigate 1101E cluster with FortiOS 6.2.10. Now I'm trying to configure radius authentication for administrators but when I try to set as source-ip the IP of the MGMT interface I get this error:

 

x.x.x.x is not valid source ip.
node_check_object fail! for source-ip x.x.x.x

 

value parse error before '10.119.254.120'
Command fail. Return code -8

 

What am I doing wrong?

 

Thanks,

M.

 

1 Solution
seshuganesh
Staff
Staff

Can you please check if you have enabled management interface under HA configuration?

If so, that specific interface will be part of HA mgmt vdom which is not related to the normal vdom?

Pleas enable ha direct:

 

https://docs.fortinet.com/document/fortigate/6.4.1/administration-guide/375961/routing-data-over-the...

 

But if you enable it traffic will be forwarded to the gateway mentioned in the managemeent interface configuration under HA, please make sure it can reach radius server through that gateway.

View solution in original post

6 REPLIES 6
vsahu
Staff
Staff

Hello M.

Fortigate will allow setting source-ip to an interface that belongs to management Vdom only since its responsible for all management traffic like SNMP, NTP, fortiguard, etc.

If the firewall is not in Multi-vdom mode, then the interface should be in root vdom . 

Then You would be able to set the source-IP to the respected Interface.

can you share the output of :

show system interface
get sys status




Regards,
Vishal
Peddy1976
New Contributor II

Hello vsahu,

 

below the output:

 

config system interface
edit "ha"
set vdom "root"
set type physical
set snmp-index 1
next
edit "mgmt"
set ip 10.x.x.x 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
set dedicated-to management
set role lan
set snmp-index 2
next
edit "agg,1"
set vdom "root"
set allowaccess ping
set type aggregate
set member "portx" "portx"
set lldp-transmission enable
set role lan
set snmp-index 37
next
edit "WAN"
set vdom "root"
set ip x.X.x.x 255.255.255.248
set role wan
set snmp-index 38
set interface "agg,1"
set vlanid x
next
edit "XXX"
set vdom "root"
set allowaccess ping
set type tunnel
set snmp-index 39
set interface "WAN"
next
edit "XXX"
set vdom "root"
set allowaccess ping
set type tunnel
set snmp-index 40
set interface "WAN"
next
end

 

get system status
Version: FortiGate-300E v6.2.10,build1263,211103 (GA)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 20.00319(2022-05-18 23:50)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
Serial-Number:
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Botnet DB: 1.00000(2012-05-28 22:51)
BIOS version: 05000007
System Part-Number: P21593-04
Log hard disk: Not available
Hostname:
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: a-p, master
Cluster uptime: 27 days, 4 hours, 57 minutes, 15 seconds
Cluster state change time: 2022-04-29 14:53:24
Branch point: 1263
Release Version Information: GA
FortiOS x86-64: Yes
System time: Tue May 24 15:35:29 2022

Sachin_Alex_Cherian_

Hi,

The mgmt interface seems to be used for dedicated management access. You might have this configured under 'config system ha'. When you add mgmt interface for ha dedicated management, this interface is not part of any vdom and bound to vsys_hamgmt. If you check mgmt interface setting shared, you do not see any vdom set as you see for the other interfaces. Ideally, you set the source ip if you want to use another interface other than mgmt. 

Regards,
Sachin.
aahmadzada
Staff
Staff

Hi, 

The right way of achieving your goal is to configure "ha-direct" option under the HA settings via cli.
When ha-direct is enabled, FortiGate uses the HA management interface for sending log messages to FortiAnalyzer, remote syslog servers, sending SNMP trap, access to remote authentication servers (for example, RADIUS, LDAP) and connecting to FortiManager / FortiSandbox /  FortiCloud.

 

KB: https://community.fortinet.com/t5/FortiGate/Technical-Note-Sending-messages-logs-SNMP-RADIUS-directl...

Documentation that describes the behavior of that command: https://docs.fortinet.com/document/fortigate/6.4.7/administration-guide/313152/out-of-band-managemen...

 

Ahmad

Ahmad
vsahu
Staff
Staff

Also keep in mind

When ha-direct is enabled, source ip may not work.
We recommend to unset all log-related, netflow and sflow source ip.
By selecting to continue, all source ip will be unset.



Regards,

vsahu

Regards,
Vishal
seshuganesh
Staff
Staff

Can you please check if you have enabled management interface under HA configuration?

If so, that specific interface will be part of HA mgmt vdom which is not related to the normal vdom?

Pleas enable ha direct:

 

https://docs.fortinet.com/document/fortigate/6.4.1/administration-guide/375961/routing-data-over-the...

 

But if you enable it traffic will be forwarded to the gateway mentioned in the managemeent interface configuration under HA, please make sure it can reach radius server through that gateway.

Labels
Top Kudoed Authors