- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- mgmt interface configuration
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mgmt interface configuration
I have used mgmt ports on fgt's in the past without problems: I have two HA clusters, each one of them has their own IP in one and the same network and I used NAT in the firewall rule to get access to the other cluster which was not the main cluster. In this configuration I could manage every one of the four devices separately and this has been useful and needed to get the HA fixed when it has broken sometimes. That was so in 5.4.
After upgrading to 6.4 I see that something has changed. Recently I restored a broken HA cluster and noted that the mgmt1 interface shows its address with red background and mentioning there an overlapping address. Yes, I needed another VLAN interface in the main cluster in the same mgmt subnet to make the NAT work in the firewall rule.
Is it possible to get the management working without a NAT-rule? There's information here: https://docs.fortinet.com/document/fortigate/6.4.4/administration-guide/313152/out-of-band-managemen...
But one thing is unclear and even confusing: what is the gateway in "management interface reservation" configuration? Where is it? It is not shown in the diagram. A random IP in the same network which doesn't even have to exist? If overlapping of subnets is not allowed, it can't be in the same unit/VDOM if it is meant to be a real address. (Do I need a separate FGT to manage the cluster?...) Also, there is no explanation of how the 10.11.101.100 works in that diagram that is common to both units and that is used to configure the new separate addresses for units. And the explanation for "Destination subnet", which is "Optionally, enter a Destination subnet to indicate the destinations that should use the defined gateway.", doesn't really tell me anything what is it really and what is it used for. Then there is "set ha-direct enable" option but no good explanation, what is this and for what purpose is it needed.
Has anybody got working the mgmt of HA cluster members without overlapping subnets (in one of the VDOMs of the same device) and without a firewall rule with NAT? What is the secret here?
Labels:
- Labels:
-
FortiGate
- « Previous
-
- 1
- 2
- Next »
11 REPLIES 11
Created on 07-12-2022 08:42 AM Edited on 07-12-2022 08:42 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're talking about only management subnet routing through your switches. Why does it have to do anything with other user traffic? Why do you need to touch a default route?
That's the purpose of "out-of-band" management interfaces to separate management traffic from user traffic.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My purpose is not to get it out of band because I don't need it, it will make it more complex although more reliable in general. I only want to have separate IP's for management and in band. It looks like out of band mgmt requires everything doubled: the router (for mgmt), internet connection, cabling... and that I don't want.
Currently I manage the routers in just one of the networks that's bound to it and I am a bit surprised that to "split" those IP's, that is, get each member their own and use the already working infrastructure is so difficult. There should be a way for this in band too in a simpler way. My current NATted solution can be done even with new devices because when adding the VLAN after having set the IP's for cluster members gives no warning.
But about routing in switches: I just don't have experience. Theory is one thing and practice is another. If I enable routing there then I don't know the consequences, be they general or device/vendor-specific. I am careful and want to test first.
Now when trying to find some other way I think this should work: add the very same VLAN that I use for management-separately-IPs to virtual server environment and add another NIC to the management terminal and put it in the same VLAN, then no routing is needed, there's direct access.
- « Previous
-
- 1
- 2
- Next »
Related Posts
Labels
-
FortiGate
6,461 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
55 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.