is it possible to place the mgmt interface into the same subnet as the lan interface?

dan · ‎02-06-2023

I have a fortigate with a dedicated mgmt interface.

On the lan side, I use i.e. port1 with the address 192.168.77.1/24.

Is it possible to "set dedicated-to management" to the mgmt interface and give it an address like 192.168.77.200/24 ?

Usually, with normal ports, this would lead to issues with routing as both interfaces would be directly connected and in the same subnet.

Yet, the explanation of the "dedicated-to management" function seems to indicate that this should be possible (?). Though it seems that still both interfaces (port1, mgmt) would generate a direct connect route.

So, even if it's not best practice, can I place the dedicated-to management interface into the same subnet as another port on the same fortigate?

Thanks

Dan

Networking and such...

Richie_C · ‎02-06-2023

I confirmed the behaviour with a quick test in my lab. See the following config:

#Enable dedicated MGMT in HA Config
config system ha
    set ha-mgmt-status enable
    config ha-mgmt-interfaces  <---Dedicated mgmt
        edit 1
            set interface "dmz"
            set gateway 172.16.1.1
        next
    end
end

#Configure dedicated management interface in the 172.16.16.0/24 subnet
FGT (global) # sho sys int dmz
config system interface
    edit "dmz"
        set ip 172.16.16.254 255.255.255.0  
        set allowaccess ping https http fgfm fabric
        set type physical
        set role dmz
        set snmp-index 3
    next
end

#Configure LAN interface in the 172.16.16.0/24 subnet 
FGT (global) # sho sys int internal
config system interface
    edit "internal"
        set vdom "root"
        set ip 172.16.16.1 255.255.255.0
        set allowaccess ping https ssh fgfm fabric
        set type hard-switch
        set stp enable
        set device-identification enable
        set role lan
        set snmp-index 6
    next
end

Take a backup before making any changes

View solution in original post

Richie_C · ‎02-06-2023

Hi

Yes it is possible to have the same subnet on the dedicated management interface and the LAN.

It is possible because the mgmt interface is in a different (hidden VDOM). More information can be found here:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface-s-hidden-...

Thanks

Take a backup before making any changes

Richie_C · ‎02-06-2023

I confirmed the behaviour with a quick test in my lab. See the following config:

#Enable dedicated MGMT in HA Config
config system ha
    set ha-mgmt-status enable
    config ha-mgmt-interfaces  <---Dedicated mgmt
        edit 1
            set interface "dmz"
            set gateway 172.16.1.1
        next
    end
end

#Configure dedicated management interface in the 172.16.16.0/24 subnet
FGT (global) # sho sys int dmz
config system interface
    edit "dmz"
        set ip 172.16.16.254 255.255.255.0  
        set allowaccess ping https http fgfm fabric
        set type physical
        set role dmz
        set snmp-index 3
    next
end

#Configure LAN interface in the 172.16.16.0/24 subnet 
FGT (global) # sho sys int internal
config system interface
    edit "internal"
        set vdom "root"
        set ip 172.16.16.1 255.255.255.0
        set allowaccess ping https ssh fgfm fabric
        set type hard-switch
        set stp enable
        set device-identification enable
        set role lan
        set snmp-index 6
    next
end

Take a backup before making any changes

dan · ‎07-04-2023

Thanks a lot @Richie_C

Dan

Networking and such...

is it possible to place the mgmt interface into the same subnet as the lan interface?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website