Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nvisentin_FTNT
Staff
Staff

Created on ‎09-02-2015 06:11 AM

Article Id 189625

Technical Note: How to dedicate an interface to management

Description
This article describes how to dedicate an interface to management.

Scope
All FortiGate with mgmt, mgmt1 and mgmt2 interfaces.

Solution
Note: Management interfaces should be used for management traffic only. It is strongly advisable not to use them for processing general user traffic. Such use may adversely impact system stability.

The following command is designed to dedicate an interface to the management:
config system interface
edit mgmt2
set dedicated-to management
end
This feature is only available on models with mgmt, mgmt1 and mgmt2 interfaces and only applicable to those interfaces.

It prevents to create Firewall policy using an interface configured with this setting. It also allows to configure trusted host IP which overrides trusted host IP in the admin account.

A “connected’ route will be added to the VDOM routing table. Static or dynamic routes can also be added.

The following example shows mgmt2 configured as dedicated-to management :
FG-5KB-5140-E-7 # show system interface mgmt2
config system interface
edit "mgmt2"
set vdom "root"
set ip 192.168.1.10 255.255.255.0
set allowaccess ping fgfm
set type physical
set dedicated-to management   <--------
set snmp-index 14
next
end

It is not possible to create FW policy using mgmt2 :
FG-5KB-5140-E-7 (policy) # edit 2
new entry '2' added

FG-5KB-5140-E-7 (2) # set dstintf
<string> Please input string value
any Match any interface in the virtual domain.
virtual-wan-link Match the virtual WAN link in NAT mode.
*
base1 interface
base2 interface
fabric1 interface
fabric2 interface
mgmt1 interface
npu0-vlink0 interface
npu0-vlink1 interface
npu1-vlink0 interface
npu1-vlink1 interface
port1 interface
port2 interface
port3 interface
port4 interface
port5 interface
port6 interface
port7 interface
port8 interface

A “connected” route is automatically added to the routing table :
FG-5KB-5140-E-7 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

S* 0.0.0.0/0 [10/0] via 172.31.19.254, mgmt1
C 172.31.16.0/22 is directly connected, mgmt1
C 192.168.1.0/24 is directly connected, mgmt2   <--------

51401
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.