I have a fortigate with a dedicated mgmt interface.
On the lan side, I use i.e. port1 with the address 192.168.77.1/24.
Is it possible to "set dedicated-to management" to the mgmt interface and give it an address like 192.168.77.200/24 ?
Usually, with normal ports, this would lead to issues with routing as both interfaces would be directly connected and in the same subnet.
Yet, the explanation of the "dedicated-to management" function seems to indicate that this should be possible (?). Though it seems that still both interfaces (port1, mgmt) would generate a direct connect route.
So, even if it's not best practice, can I place the dedicated-to management interface into the same subnet as another port on the same fortigate?
Thanks
Dan
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I confirmed the behaviour with a quick test in my lab. See the following config:
#Enable dedicated MGMT in HA Config
config system ha
set ha-mgmt-status enable
config ha-mgmt-interfaces <---Dedicated mgmt
edit 1
set interface "dmz"
set gateway 172.16.1.1
next
end
end
#Configure dedicated management interface in the 172.16.16.0/24 subnet
FGT (global) # sho sys int dmz
config system interface
edit "dmz"
set ip 172.16.16.254 255.255.255.0
set allowaccess ping https http fgfm fabric
set type physical
set role dmz
set snmp-index 3
next
end
#Configure LAN interface in the 172.16.16.0/24 subnet
FGT (global) # sho sys int internal
config system interface
edit "internal"
set vdom "root"
set ip 172.16.16.1 255.255.255.0
set allowaccess ping https ssh fgfm fabric
set type hard-switch
set stp enable
set device-identification enable
set role lan
set snmp-index 6
next
end
Hi
Yes it is possible to have the same subnet on the dedicated management interface and the LAN.
It is possible because the mgmt interface is in a different (hidden VDOM). More information can be found here:
Thanks
I confirmed the behaviour with a quick test in my lab. See the following config:
#Enable dedicated MGMT in HA Config
config system ha
set ha-mgmt-status enable
config ha-mgmt-interfaces <---Dedicated mgmt
edit 1
set interface "dmz"
set gateway 172.16.1.1
next
end
end
#Configure dedicated management interface in the 172.16.16.0/24 subnet
FGT (global) # sho sys int dmz
config system interface
edit "dmz"
set ip 172.16.16.254 255.255.255.0
set allowaccess ping https http fgfm fabric
set type physical
set role dmz
set snmp-index 3
next
end
#Configure LAN interface in the 172.16.16.0/24 subnet
FGT (global) # sho sys int internal
config system interface
edit "internal"
set vdom "root"
set ip 172.16.16.1 255.255.255.0
set allowaccess ping https ssh fgfm fabric
set type hard-switch
set stp enable
set device-identification enable
set role lan
set snmp-index 6
next
end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.